VYPR
Get started
← All advisories
Moderate severityGHSA Advisory· Published Dec 18, 2025· Updated Dec 19, 2025

Filebeat Improper Validation of Specified Index, Position, or Offset in Input

CVE-2025-68383

Description

Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/elastic/beats/v7Go
>= 7.7.0, < 8.19.98.19.9
github.com/elastic/beats/v7Go
>= 9.0.0, < 9.1.99.1.9
github.com/elastic/beats/v7Go
>= 9.2.0, < 9.2.39.2.3
github.com/elastic/beats/v7Go
< 7.0.0-alpha2.0.20251204214633-dd3af18220bf7.0.0-alpha2.0.20251204214633-dd3af18220bf
github.com/elastic/beatsGo
<= 7.6.2

Affected products

1

Patches

3
27a168fb1c59

fix(filebeat): prevent panic in dissect processor with invalid field name (#47839) (#47929)

https://github.com/elastic/beatsmergify[bot]Dec 4, 2025via ghsa
commit
4 files changed · +67 8
  • changelog/fragments/1764614942-fix-panic-in-dissect-processor-with-invalid-field-name.yaml+45 0 added
    @@ -0,0 +1,45 @@
+# REQUIRED
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug-fix
+
+# REQUIRED for all kinds
+# Change summary; a 80ish characters long description of the change.
+summary: Prevent panic during startup if dissect processor has invalid field name in tokenizer
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# description:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# impact:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# action:
+
+# REQUIRED for all kinds
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: filebeat
+
+# AUTOMATED
+# OPTIONAL to manually add other PR URLs
+# PR URL: A link the PR that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+# pr: https://github.com/owner/repo/1234
+
+# AUTOMATED
+# OPTIONAL to manually add other issue URLs
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+# issue: https://github.com/owner/repo/1234
  • libbeat/processors/dissect/const.go+1 0 modified
    @@ -61,4 +61,5 @@ var (
 	errEmptyKey                  = errors.New("empty key")
 	errInvalidDatatype           = errors.New("invalid data type")
 	errMissingDatatype           = errors.New("missing data type")
+	errInvalidFieldName          = errors.New("invalid field name")
 )
  • libbeat/processors/dissect/dissect_test.go+10 5 modified
    @@ -87,20 +87,25 @@ func TestDissectConversion(t *testing.T) {
 			},
 			Fail: false,
 		},
+		{
+			Name:     "Invalid field name should fail gracefully",
+			Tok:      "%{\n}",
+			Msg:      "test message",
+			Expected: map[string]interface{}{},
+			Fail:     true,
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.Name, func(t *testing.T) {
 			d, err := New(test.Tok)
-			if !assert.NoError(t, err) {
-				return
-			}
-
 			if test.Fail {
-				_, err := d.DissectConvert(test.Msg)
 				assert.Error(t, err)
 				return
 			}
+			if !assert.NoError(t, err) {
+				return
+			}
 
 			r, err := d.DissectConvert(test.Msg)
 			if !assert.NoError(t, err) {
  • libbeat/processors/dissect/field.go+11 3 modified
    @@ -239,7 +239,10 @@ func newField(id int, rawKey string, previous delimiter) (field, error) {
 		return newSkipField(id), nil
 	}
 
-	key, dataType, ordinal, length, greedy := extractKeyParts(rawKey)
+	key, dataType, ordinal, length, greedy, err := extractKeyParts(rawKey)
+	if err != nil {
+		return nil, err
+	}
 
 	// rawKey will have | as suffix when data type is missing
 	if strings.HasSuffix(rawKey, dataTypeIndicator) {
@@ -331,9 +334,14 @@ func newNormalField(id int, key string, dataType string, ordinal int, length int
 	}
 }
 
-func extractKeyParts(rawKey string) (key string, dataType string, ordinal int, length int, greedy bool) {
+func extractKeyParts(rawKey string) (key string, dataType string, ordinal int, length int, greedy bool, err error) {
 	m := suffixRE.FindAllStringSubmatch(rawKey, -1)
 
+	// check if we have at least one match otherwise the field is invalid.
+	if len(m) == 0 {
+		return "", "", 0, 0, false, errInvalidFieldName
+	}
+
 	if m[0][3] != "" {
 		ordinal, _ = strconv.Atoi(m[0][3])
 	}
@@ -348,5 +356,5 @@ func extractKeyParts(rawKey string) (key string, dataType string, ordinal int, l
 
 	dataType = m[0][8]
 
-	return m[0][1], dataType, ordinal, length, greedy
+	return m[0][1], dataType, ordinal, length, greedy, nil
 }
339fa3f887a1

fix(filebeat): prevent panic in dissect processor with invalid field name (#47839) (#47928)

https://github.com/elastic/beatsmergify[bot]Dec 4, 2025via ghsa
commit
4 files changed · +67 8
  • changelog/fragments/1764614942-fix-panic-in-dissect-processor-with-invalid-field-name.yaml+45 0 added
    @@ -0,0 +1,45 @@
+# REQUIRED
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug-fix
+
+# REQUIRED for all kinds
+# Change summary; a 80ish characters long description of the change.
+summary: Prevent panic during startup if dissect processor has invalid field name in tokenizer
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# description:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# impact:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# action:
+
+# REQUIRED for all kinds
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: filebeat
+
+# AUTOMATED
+# OPTIONAL to manually add other PR URLs
+# PR URL: A link the PR that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+# pr: https://github.com/owner/repo/1234
+
+# AUTOMATED
+# OPTIONAL to manually add other issue URLs
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+# issue: https://github.com/owner/repo/1234
  • libbeat/processors/dissect/const.go+1 0 modified
    @@ -61,4 +61,5 @@ var (
 	errEmptyKey                  = errors.New("empty key")
 	errInvalidDatatype           = errors.New("invalid data type")
 	errMissingDatatype           = errors.New("missing data type")
+	errInvalidFieldName          = errors.New("invalid field name")
 )
  • libbeat/processors/dissect/dissect_test.go+10 5 modified
    @@ -87,20 +87,25 @@ func TestDissectConversion(t *testing.T) {
 			},
 			Fail: false,
 		},
+		{
+			Name:     "Invalid field name should fail gracefully",
+			Tok:      "%{\n}",
+			Msg:      "test message",
+			Expected: map[string]interface{}{},
+			Fail:     true,
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.Name, func(t *testing.T) {
 			d, err := New(test.Tok)
-			if !assert.NoError(t, err) {
-				return
-			}
-
 			if test.Fail {
-				_, err := d.DissectConvert(test.Msg)
 				assert.Error(t, err)
 				return
 			}
+			if !assert.NoError(t, err) {
+				return
+			}
 
 			r, err := d.DissectConvert(test.Msg)
 			if !assert.NoError(t, err) {
  • libbeat/processors/dissect/field.go+11 3 modified
    @@ -239,7 +239,10 @@ func newField(id int, rawKey string, previous delimiter) (field, error) {
 		return newSkipField(id), nil
 	}
 
-	key, dataType, ordinal, length, greedy := extractKeyParts(rawKey)
+	key, dataType, ordinal, length, greedy, err := extractKeyParts(rawKey)
+	if err != nil {
+		return nil, err
+	}
 
 	// rawKey will have | as suffix when data type is missing
 	if strings.HasSuffix(rawKey, dataTypeIndicator) {
@@ -331,9 +334,14 @@ func newNormalField(id int, key string, dataType string, ordinal int, length int
 	}
 }
 
-func extractKeyParts(rawKey string) (key string, dataType string, ordinal int, length int, greedy bool) {
+func extractKeyParts(rawKey string) (key string, dataType string, ordinal int, length int, greedy bool, err error) {
 	m := suffixRE.FindAllStringSubmatch(rawKey, -1)
 
+	// check if we have at least one match otherwise the field is invalid.
+	if len(m) == 0 {
+		return "", "", 0, 0, false, errInvalidFieldName
+	}
+
 	if m[0][3] != "" {
 		ordinal, _ = strconv.Atoi(m[0][3])
 	}
@@ -348,5 +356,5 @@ func extractKeyParts(rawKey string) (key string, dataType string, ordinal int, l
 
 	dataType = m[0][8]
 
-	return m[0][1], dataType, ordinal, length, greedy
+	return m[0][1], dataType, ordinal, length, greedy, nil
 }
2f971a057eea

fix(filebeat): prevent panic in dissect processor with invalid field name (#47839) (#47927)

https://github.com/elastic/beatsmergify[bot]Dec 4, 2025via ghsa
commit
4 files changed · +67 8
  • changelog/fragments/1764614942-fix-panic-in-dissect-processor-with-invalid-field-name.yaml+45 0 added
    @@ -0,0 +1,45 @@
+# REQUIRED
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug-fix
+
+# REQUIRED for all kinds
+# Change summary; a 80ish characters long description of the change.
+summary: Prevent panic during startup if dissect processor has invalid field name in tokenizer
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# description:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# impact:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# action:
+
+# REQUIRED for all kinds
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: filebeat
+
+# AUTOMATED
+# OPTIONAL to manually add other PR URLs
+# PR URL: A link the PR that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+# pr: https://github.com/owner/repo/1234
+
+# AUTOMATED
+# OPTIONAL to manually add other issue URLs
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+# issue: https://github.com/owner/repo/1234
  • libbeat/processors/dissect/const.go+1 0 modified
    @@ -61,4 +61,5 @@ var (
 	errEmptyKey                  = errors.New("empty key")
 	errInvalidDatatype           = errors.New("invalid data type")
 	errMissingDatatype           = errors.New("missing data type")
+	errInvalidFieldName          = errors.New("invalid field name")
 )
  • libbeat/processors/dissect/dissect_test.go+10 5 modified
    @@ -87,20 +87,25 @@ func TestDissectConversion(t *testing.T) {
 			},
 			Fail: false,
 		},
+		{
+			Name:     "Invalid field name should fail gracefully",
+			Tok:      "%{\n}",
+			Msg:      "test message",
+			Expected: map[string]interface{}{},
+			Fail:     true,
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.Name, func(t *testing.T) {
 			d, err := New(test.Tok)
-			if !assert.NoError(t, err) {
-				return
-			}
-
 			if test.Fail {
-				_, err := d.DissectConvert(test.Msg)
 				assert.Error(t, err)
 				return
 			}
+			if !assert.NoError(t, err) {
+				return
+			}
 
 			r, err := d.DissectConvert(test.Msg)
 			if !assert.NoError(t, err) {
  • libbeat/processors/dissect/field.go+11 3 modified
    @@ -239,7 +239,10 @@ func newField(id int, rawKey string, previous delimiter) (field, error) {
 		return newSkipField(id), nil
 	}
 
-	key, dataType, ordinal, length, greedy := extractKeyParts(rawKey)
+	key, dataType, ordinal, length, greedy, err := extractKeyParts(rawKey)
+	if err != nil {
+		return nil, err
+	}
 
 	// rawKey will have | as suffix when data type is missing
 	if strings.HasSuffix(rawKey, dataTypeIndicator) {
@@ -331,9 +334,14 @@ func newNormalField(id int, key string, dataType string, ordinal int, length int
 	}
 }
 
-func extractKeyParts(rawKey string) (key string, dataType string, ordinal int, length int, greedy bool) {
+func extractKeyParts(rawKey string) (key string, dataType string, ordinal int, length int, greedy bool, err error) {
 	m := suffixRE.FindAllStringSubmatch(rawKey, -1)
 
+	// check if we have at least one match otherwise the field is invalid.
+	if len(m) == 0 {
+		return "", "", 0, 0, false, errInvalidFieldName
+	}
+
 	if m[0][3] != "" {
 		ordinal, _ = strconv.Atoi(m[0][3])
 	}
@@ -348,5 +356,5 @@ func extractKeyParts(rawKey string) (key string, dataType string, ordinal int, l
 
 	dataType = m[0][8]
 
-	return m[0][1], dataType, ordinal, length, greedy
+	return m[0][1], dataType, ordinal, length, greedy, nil
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.