VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 7, 2025· Updated Apr 8, 2025

Graylog Authenticated HTTP inputs do ingest message even if Authorization header is missing or has wrong value

CVE-2025-30373

Description

Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless. To mitigate the vulnerability, disable http-based inputs and allow only authenticated pull-based inputs. This vulnerability is fixed in 6.1.9.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.graylog2:graylog2-serverMaven
>= 6.1.0, < 6.1.96.1.9

Affected products

1

Patches

1
31bc13d3cd6f

Merge commit from fork

https://github.com/Graylog2/graylog2-serverDan TorreyApr 1, 2025via ghsa
commit
3 files changed · +28 1
  • changelog/unreleased/GHSA-q7g5-jq6p-6wvx.toml+2 0 added
    @@ -0,0 +1,2 @@
+type = "s"
+message = "Fixed authentication issue for HTTP inputs. [GHSA-q7g5-jq6p-6wvx](https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-q7g5-jq6p-6wvx)"
  • graylog2-server/src/main/java/org/graylog2/inputs/transports/netty/HttpHandler.java+1 0 modified
    @@ -61,6 +61,7 @@ protected void channelRead0(ChannelHandlerContext ctx, HttpRequest request) thro
             final String suppliedAuthHeaderValue = request.headers().get(authorizationHeader);
             if (isBlank(suppliedAuthHeaderValue) || !suppliedAuthHeaderValue.equals(authorizationHeaderValue)) {
                 writeResponse(channel, keepAlive, httpRequestVersion, HttpResponseStatus.UNAUTHORIZED, origin);
+                return;
             }
         }
  • graylog2-server/src/test/java/org/graylog2/inputs/transports/netty/HttpHandlerTest.java+25 1 modified
    @@ -16,6 +16,9 @@
  */
 package org.graylog2.inputs.transports.netty;
 
+import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.SimpleChannelInboundHandler;
 import io.netty.channel.embedded.EmbeddedChannel;
 import io.netty.handler.codec.http.DefaultFullHttpRequest;
 import io.netty.handler.codec.http.DefaultHttpRequest;
@@ -235,7 +238,8 @@ private void testAuthentication(String expectedAuthHeader, String expectedAuthHe
 
         httpRequest.content().writeBytes(GELF_MESSAGE);
 
-        channel = new EmbeddedChannel(new HttpHandler(true, expectedAuthHeader, expectedAuthHeaderValue, "/gelf"));
+        final DownstreamHandler downstreamHandler = new DownstreamHandler();
+        channel = new EmbeddedChannel(new HttpHandler(true, expectedAuthHeader, expectedAuthHeaderValue, "/gelf"), downstreamHandler);
         channel.writeInbound(httpRequest);
         channel.finish();
 
@@ -248,5 +252,25 @@ private void testAuthentication(String expectedAuthHeader, String expectedAuthHe
         assertThat(headers.get(ACCESS_CONTROL_ALLOW_CREDENTIALS)).isEqualTo("true");
         assertThat(headers.get(ACCESS_CONTROL_ALLOW_HEADERS)).isEqualTo("Authorization, Content-Type");
         assertThat(headers.get(CONNECTION)).isEqualTo(HttpHeaderValues.CLOSE.toString());
+        if (expectedStatus == HttpResponseStatus.ACCEPTED) {
+            assertThat(downstreamHandler.received).isTrue();
+        }else if (expectedStatus == HttpResponseStatus.UNAUTHORIZED) {
+            assertThat(downstreamHandler.received).isFalse();
+        } else {
+            throw new AssertionError("Unexpected status: " + expectedStatus);
+        }
+    }
+
+    /**
+     * Downstream handler for confirming that authorization failures halt message flow, and that message flow continues
+     * for authentication successes.
+     */
+    private class DownstreamHandler extends SimpleChannelInboundHandler<ByteBuf> {
+        public boolean received = false;
+
+        @Override
+        protected void channelRead0(ChannelHandlerContext channelHandlerContext, io.netty.buffer.ByteBuf httpRequest) throws Exception {
+            this.received = true;
+        }
     }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.