High severityNVD Advisory· Published Oct 26, 2023· Updated Feb 13, 2025
Elasticsearch uncontrolled resource consumption
CVE-2023-31418
Description
An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elastic Engineering and we have no indication that the issue is known or that it is being exploited in the wild.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Elasticsearch is vulnerable to uncontrolled resource consumption via malformed HTTP requests, allowing an unauthenticated attacker to cause an OutOfMemory error, mitigated in versions 7.17.13 and 8.9.0.
Vulnerability
Description CVE-2023-31418 is a vulnerability in Elasticsearch where the HTTP layer improperly handles malformed requests, leading to uncontrolled memory consumption. An unauthenticated attacker can send a moderate number of specially crafted HTTP requests to an Elasticsearch node, causing the node to exhaust its memory and exit with an OutOfMemory error [1][3].
Attack
Vector The attack is remotely exploitable over the network without authentication or user interaction (CVSS: 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The attacker only needs the ability to send HTTP requests to the vulnerable Elasticsearch node [1].
Impact
Successful exploitation results in a denial of service by crashing the Elasticsearch node, potentially affecting the entire cluster's availability. The vulnerability does not affect confidentiality or integrity [1][3].
Mitigation
Elastic has released patches: upgrade to Elasticsearch 7.17.13, 8.9.0, or later. For Elastic Cloud Enterprise, upgrade to versions 2.13.4 or 3.6.1. No workarounds are available [3]. There is no evidence of active exploitation [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.elasticsearch:elasticsearchMaven | < 7.17.13 | 7.17.13 |
org.elasticsearch:elasticsearchMaven | >= 8.0.0, < 8.9.0 | 8.9.0 |
Affected products
137- osv-coords136 versionspkg:apk/chainguard/trinopkg:apk/chainguard/trino-configpkg:apk/chainguard/trino-oci-entrypointpkg:apk/chainguard/trino-plugin-accumulopkg:apk/chainguard/trino-plugin-ai-functionspkg:apk/chainguard/trino-plugin-atoppkg:apk/chainguard/trino-plugin-bigquerypkg:apk/chainguard/trino-plugin-blackholepkg:apk/chainguard/trino-plugin-cassandrapkg:apk/chainguard/trino-plugin-clickhousepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-druidpkg:apk/chainguard/trino-plugin-duckdbpkg:apk/chainguard/trino-plugin-elasticsearchpkg:apk/chainguard/trino-plugin-example-httppkg:apk/chainguard/trino-plugin-exasolpkg:apk/chainguard/trino-plugin-exchange-filesystempkg:apk/chainguard/trino-plugin-exchange-hdfspkg:apk/chainguard/trino-plugin-fakerpkg:apk/chainguard/trino-plugin-functions-pythonpkg:apk/chainguard/trino-plugin-geospatialpkg:apk/chainguard/trino-plugin-google-sheetspkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-http-event-listenerpkg:apk/chainguard/trino-plugin-http-server-event-listenerpkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-ignitepkg:apk/chainguard/trino-plugin-jmxpkg:apk/chainguard/trino-plugin-kafkapkg:apk/chainguard/trino-plugin-kafka-event-listenerpkg:apk/chainguard/trino-plugin-kinesispkg:apk/chainguard/trino-plugin-kudupkg:apk/chainguard/trino-plugin-lakehousepkg:apk/chainguard/trino-plugin-ldap-group-providerpkg:apk/chainguard/trino-plugin-local-filepkg:apk/chainguard/trino-plugin-lokipkg:apk/chainguard/trino-plugin-mariadbpkg:apk/chainguard/trino-plugin-memorypkg:apk/chainguard/trino-plugin-mlpkg:apk/chainguard/trino-plugin-mongodbpkg:apk/chainguard/trino-plugin-mysqlpkg:apk/chainguard/trino-plugin-mysql-event-listenerpkg:apk/chainguard/trino-plugin-opapkg:apk/chainguard/trino-plugin-openlineagepkg:apk/chainguard/trino-plugin-opensearchpkg:apk/chainguard/trino-plugin-oraclepkg:apk/chainguard/trino-plugin-password-authenticatorspkg:apk/chainguard/trino-plugin-phoenix5pkg:apk/chainguard/trino-plugin-pinotpkg:apk/chainguard/trino-plugin-postgresqlpkg:apk/chainguard/trino-plugin-prometheuspkg:apk/chainguard/trino-plugin-rangerpkg:apk/chainguard/trino-plugin-raptor-legacypkg:apk/chainguard/trino-plugin-redispkg:apk/chainguard/trino-plugin-redshiftpkg:apk/chainguard/trino-plugin-resource-group-managerspkg:apk/chainguard/trino-plugin-session-property-managerspkg:apk/chainguard/trino-plugin-singlestorepkg:apk/chainguard/trino-plugin-snowflakepkg:apk/chainguard/trino-plugin-spooling-filesystempkg:apk/chainguard/trino-plugin-sqlserverpkg:apk/chainguard/trino-plugin-teradata-functionspkg:apk/chainguard/trino-plugin-thriftpkg:apk/chainguard/trino-plugin-tpcdspkg:apk/chainguard/trino-plugin-tpchpkg:apk/chainguard/trino-plugin-verticapkg:apk/wolfi/trinopkg:apk/wolfi/trino-configpkg:apk/wolfi/trino-oci-entrypointpkg:apk/wolfi/trino-plugin-accumulopkg:apk/wolfi/trino-plugin-ai-functionspkg:apk/wolfi/trino-plugin-atoppkg:apk/wolfi/trino-plugin-bigquerypkg:apk/wolfi/trino-plugin-blackholepkg:apk/wolfi/trino-plugin-cassandrapkg:apk/wolfi/trino-plugin-clickhousepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-druidpkg:apk/wolfi/trino-plugin-duckdbpkg:apk/wolfi/trino-plugin-elasticsearchpkg:apk/wolfi/trino-plugin-example-httppkg:apk/wolfi/trino-plugin-exasolpkg:apk/wolfi/trino-plugin-exchange-filesystempkg:apk/wolfi/trino-plugin-exchange-hdfspkg:apk/wolfi/trino-plugin-fakerpkg:apk/wolfi/trino-plugin-functions-pythonpkg:apk/wolfi/trino-plugin-geospatialpkg:apk/wolfi/trino-plugin-google-sheetspkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-http-event-listenerpkg:apk/wolfi/trino-plugin-http-server-event-listenerpkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-ignitepkg:apk/wolfi/trino-plugin-jmxpkg:apk/wolfi/trino-plugin-kafkapkg:apk/wolfi/trino-plugin-kafka-event-listenerpkg:apk/wolfi/trino-plugin-kinesispkg:apk/wolfi/trino-plugin-kudupkg:apk/wolfi/trino-plugin-lakehousepkg:apk/wolfi/trino-plugin-ldap-group-providerpkg:apk/wolfi/trino-plugin-local-filepkg:apk/wolfi/trino-plugin-lokipkg:apk/wolfi/trino-plugin-mariadbpkg:apk/wolfi/trino-plugin-memorypkg:apk/wolfi/trino-plugin-mlpkg:apk/wolfi/trino-plugin-mongodbpkg:apk/wolfi/trino-plugin-mysqlpkg:apk/wolfi/trino-plugin-mysql-event-listenerpkg:apk/wolfi/trino-plugin-opapkg:apk/wolfi/trino-plugin-openlineagepkg:apk/wolfi/trino-plugin-opensearchpkg:apk/wolfi/trino-plugin-oraclepkg:apk/wolfi/trino-plugin-password-authenticatorspkg:apk/wolfi/trino-plugin-phoenix5pkg:apk/wolfi/trino-plugin-pinotpkg:apk/wolfi/trino-plugin-postgresqlpkg:apk/wolfi/trino-plugin-prometheuspkg:apk/wolfi/trino-plugin-rangerpkg:apk/wolfi/trino-plugin-raptor-legacypkg:apk/wolfi/trino-plugin-redispkg:apk/wolfi/trino-plugin-redshiftpkg:apk/wolfi/trino-plugin-resource-group-managerspkg:apk/wolfi/trino-plugin-session-property-managerspkg:apk/wolfi/trino-plugin-singlestorepkg:apk/wolfi/trino-plugin-snowflakepkg:apk/wolfi/trino-plugin-spooling-filesystempkg:apk/wolfi/trino-plugin-sqlserverpkg:apk/wolfi/trino-plugin-teradata-functionspkg:apk/wolfi/trino-plugin-thriftpkg:apk/wolfi/trino-plugin-tpcdspkg:apk/wolfi/trino-plugin-tpchpkg:apk/wolfi/trino-plugin-verticapkg:bitnami/elasticsearchpkg:maven/org.elasticsearch/elasticsearch
< 0+ 135 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 7.17.13
- (no CPE)range: < 7.17.13
- Range: 7.17.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-2cqf-6xv9-f22wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-31418ghsaADVISORY
- discuss.elastic.co/t/elasticsearch-8-9-0-7-17-13-security-update/343616ghsaWEB
- security.netapp.com/advisory/ntap-20231130-0005ghsaWEB
- www.elastic.co/community/securityghsaWEB
- security.netapp.com/advisory/ntap-20231130-0005/mitre
News mentions
0No linked articles in our index yet.