Moderate severityNVD Advisory· Published Mar 27, 2024· Updated Feb 13, 2025

Elasticsearch Uncontrolled Resource Consumption vulnerability

CVE-2024-23450

Description

A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A denial-of-service vulnerability in Elasticsearch allows a high-privileged attacker to crash an ingest node by sending a document through a deeply nested pipeline.

Vulnerability

Overview

CVE-2024-23450 is an uncontrolled resource consumption vulnerability in Elasticsearch. Processing a document through a deeply nested ingest pipeline on an ingest node causes the node to crash [1][4]. The root cause is uncontrolled resource consumption triggered by the excessive depth of pipeline processing, leading to a crash [1].

Exploitation

To exploit this vulnerability, an attacker must have high privileges (such as an ingest user) and the ability to submit a document to a deeply nested pipeline [4]. No user interaction is required beyond submitting the crafted request, and the attack is performed over the network [4]. The vulnerability affects Elasticsearch versions 7.0.0 to 7.17.19 and 8.0.0 to 8.13.0 [4].

Impact

Successful exploitation results in a denial-of-service condition, causing the Elasticsearch node to crash [1][4]. This can disrupt service availability by crashing a node, potentially affecting cluster stability if the node is critical.

Mitigation

Elastic has released fixed versions: 7.17.19 and 8.13.0 [4]. Users should upgrade to these versions or later to remediate the vulnerability. No workarounds are mentioned in available sources. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.elasticsearch:elasticsearchMaven	>= 7.0.0, < 7.17.19	7.17.19
org.elasticsearch:elasticsearchMaven	>= 8.0.0, < 8.13.0	8.13.0

Affected products

142

osv-coords141 versions
pkg:apk/chainguard/elasticsearch-8 pkg:apk/chainguard/elasticsearch-8-bitnami pkg:apk/chainguard/elasticsearch-8-config pkg:apk/chainguard/elasticsearch-8-iamguarded pkg:apk/chainguard/elasticsearch-config pkg:apk/chainguard/trino pkg:apk/chainguard/trino-config pkg:apk/chainguard/trino-oci-entrypoint pkg:apk/chainguard/trino-plugin-accumulo pkg:apk/chainguard/trino-plugin-ai-functions pkg:apk/chainguard/trino-plugin-atop pkg:apk/chainguard/trino-plugin-bigquery pkg:apk/chainguard/trino-plugin-blackhole pkg:apk/chainguard/trino-plugin-cassandra pkg:apk/chainguard/trino-plugin-clickhouse pkg:apk/chainguard/trino-plugin-delta-lake pkg:apk/chainguard/trino-plugin-druid pkg:apk/chainguard/trino-plugin-duckdb pkg:apk/chainguard/trino-plugin-elasticsearch pkg:apk/chainguard/trino-plugin-example-http pkg:apk/chainguard/trino-plugin-exasol pkg:apk/chainguard/trino-plugin-exchange-filesystem pkg:apk/chainguard/trino-plugin-exchange-hdfs pkg:apk/chainguard/trino-plugin-faker pkg:apk/chainguard/trino-plugin-functions-python pkg:apk/chainguard/trino-plugin-geospatial pkg:apk/chainguard/trino-plugin-google-sheets pkg:apk/chainguard/trino-plugin-hive pkg:apk/chainguard/trino-plugin-http-event-listener pkg:apk/chainguard/trino-plugin-http-server-event-listener pkg:apk/chainguard/trino-plugin-hudi pkg:apk/chainguard/trino-plugin-iceberg pkg:apk/chainguard/trino-plugin-ignite pkg:apk/chainguard/trino-plugin-jmx pkg:apk/chainguard/trino-plugin-kafka pkg:apk/chainguard/trino-plugin-kafka-event-listener pkg:apk/chainguard/trino-plugin-kinesis pkg:apk/chainguard/trino-plugin-kudu pkg:apk/chainguard/trino-plugin-lakehouse pkg:apk/chainguard/trino-plugin-ldap-group-provider pkg:apk/chainguard/trino-plugin-local-file pkg:apk/chainguard/trino-plugin-loki pkg:apk/chainguard/trino-plugin-mariadb pkg:apk/chainguard/trino-plugin-memory pkg:apk/chainguard/trino-plugin-ml pkg:apk/chainguard/trino-plugin-mongodb pkg:apk/chainguard/trino-plugin-mysql pkg:apk/chainguard/trino-plugin-mysql-event-listener pkg:apk/chainguard/trino-plugin-opa pkg:apk/chainguard/trino-plugin-openlineage pkg:apk/chainguard/trino-plugin-opensearch pkg:apk/chainguard/trino-plugin-oracle pkg:apk/chainguard/trino-plugin-password-authenticators pkg:apk/chainguard/trino-plugin-phoenix5 pkg:apk/chainguard/trino-plugin-pinot pkg:apk/chainguard/trino-plugin-postgresql pkg:apk/chainguard/trino-plugin-prometheus pkg:apk/chainguard/trino-plugin-ranger pkg:apk/chainguard/trino-plugin-raptor-legacy pkg:apk/chainguard/trino-plugin-redis pkg:apk/chainguard/trino-plugin-redshift pkg:apk/chainguard/trino-plugin-resource-group-managers pkg:apk/chainguard/trino-plugin-session-property-managers pkg:apk/chainguard/trino-plugin-singlestore pkg:apk/chainguard/trino-plugin-snowflake pkg:apk/chainguard/trino-plugin-spooling-filesystem pkg:apk/chainguard/trino-plugin-sqlserver pkg:apk/chainguard/trino-plugin-teradata-functions pkg:apk/chainguard/trino-plugin-thrift pkg:apk/chainguard/trino-plugin-tpcds pkg:apk/chainguard/trino-plugin-tpch pkg:apk/chainguard/trino-plugin-vertica pkg:apk/wolfi/trino pkg:apk/wolfi/trino-config pkg:apk/wolfi/trino-oci-entrypoint pkg:apk/wolfi/trino-plugin-accumulo pkg:apk/wolfi/trino-plugin-ai-functions pkg:apk/wolfi/trino-plugin-atop pkg:apk/wolfi/trino-plugin-bigquery pkg:apk/wolfi/trino-plugin-blackhole pkg:apk/wolfi/trino-plugin-cassandra pkg:apk/wolfi/trino-plugin-clickhouse pkg:apk/wolfi/trino-plugin-delta-lake pkg:apk/wolfi/trino-plugin-druid pkg:apk/wolfi/trino-plugin-duckdb pkg:apk/wolfi/trino-plugin-elasticsearch pkg:apk/wolfi/trino-plugin-example-http pkg:apk/wolfi/trino-plugin-exasol pkg:apk/wolfi/trino-plugin-exchange-filesystem pkg:apk/wolfi/trino-plugin-exchange-hdfs pkg:apk/wolfi/trino-plugin-faker pkg:apk/wolfi/trino-plugin-functions-python pkg:apk/wolfi/trino-plugin-geospatial pkg:apk/wolfi/trino-plugin-google-sheets pkg:apk/wolfi/trino-plugin-hive pkg:apk/wolfi/trino-plugin-http-event-listener pkg:apk/wolfi/trino-plugin-http-server-event-listener pkg:apk/wolfi/trino-plugin-hudi pkg:apk/wolfi/trino-plugin-iceberg pkg:apk/wolfi/trino-plugin-ignite pkg:apk/wolfi/trino-plugin-jmx pkg:apk/wolfi/trino-plugin-kafka pkg:apk/wolfi/trino-plugin-kafka-event-listener pkg:apk/wolfi/trino-plugin-kinesis pkg:apk/wolfi/trino-plugin-kudu pkg:apk/wolfi/trino-plugin-lakehouse pkg:apk/wolfi/trino-plugin-ldap-group-provider pkg:apk/wolfi/trino-plugin-local-file pkg:apk/wolfi/trino-plugin-loki pkg:apk/wolfi/trino-plugin-mariadb pkg:apk/wolfi/trino-plugin-memory pkg:apk/wolfi/trino-plugin-ml pkg:apk/wolfi/trino-plugin-mongodb pkg:apk/wolfi/trino-plugin-mysql pkg:apk/wolfi/trino-plugin-mysql-event-listener pkg:apk/wolfi/trino-plugin-opa pkg:apk/wolfi/trino-plugin-openlineage pkg:apk/wolfi/trino-plugin-opensearch pkg:apk/wolfi/trino-plugin-oracle pkg:apk/wolfi/trino-plugin-password-authenticators pkg:apk/wolfi/trino-plugin-phoenix5 pkg:apk/wolfi/trino-plugin-pinot pkg:apk/wolfi/trino-plugin-postgresql pkg:apk/wolfi/trino-plugin-prometheus pkg:apk/wolfi/trino-plugin-ranger pkg:apk/wolfi/trino-plugin-raptor-legacy pkg:apk/wolfi/trino-plugin-redis pkg:apk/wolfi/trino-plugin-redshift pkg:apk/wolfi/trino-plugin-resource-group-managers pkg:apk/wolfi/trino-plugin-session-property-managers pkg:apk/wolfi/trino-plugin-singlestore pkg:apk/wolfi/trino-plugin-snowflake pkg:apk/wolfi/trino-plugin-spooling-filesystem pkg:apk/wolfi/trino-plugin-sqlserver pkg:apk/wolfi/trino-plugin-teradata-functions pkg:apk/wolfi/trino-plugin-thrift pkg:apk/wolfi/trino-plugin-tpcds pkg:apk/wolfi/trino-plugin-tpch pkg:apk/wolfi/trino-plugin-vertica pkg:bitnami/elasticsearch pkg:maven/org.elasticsearch/elasticsearch
< 8.13.1-r0+ 140 more
- (no CPE)range: < 8.13.1-r0
- (no CPE)range: < 8.13.1-r0
- (no CPE)range: < 8.13.1-r0
- (no CPE)range: < 8.13.1-r0
- (no CPE)range: < 8.13.1-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: >= 7.0.0, < 7.17.19
- (no CPE)range: >= 7.0.0, < 7.17.19
Elastic/Elasticsearchv5
Range: 7.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-w5gg-2q56-6h4fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-23450ghsaADVISORY
discuss.elastic.co/t/elasticsearch-8-13-0-7-17-19-security-update-esa-2024-06/356314ghsaWEB
security.netapp.com/advisory/ntap-20240517-0010ghsaWEB
www.elastic.co/community/securityghsaWEB
security.netapp.com/advisory/ntap-20240517-0010/mitre

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000