{"id":"CVE-2024-52979","details":"Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash.","aliases":["BIT-elasticsearch-2024-52979","GHSA-mm3m-5497-xggg"],"modified":"2026-04-12T09:58:16.027953Z","published":"2025-05-01T14:15:35.690Z","references":[{"type":"FIX","url":"https://discuss.elastic.co/t/elasticsearch-7-17-25-and-8-16-0-security-update-esa-2024-40/377709"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/elasticsearch","events":[{"introduced":"0"},{"fixed":"f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf"},{"introduced":"1b6a7ece17463df5ff54a3e1302d825889aa1161"},{"fixed":"12ff76a92922609df4aba61a368e7adf65589749"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.17.25"},{"introduced":"8.0.0"},{"fixed":"8.16.0"}]}}],"versions":["v7.0.0-alpha1","v7.0.0-alpha2","v7.16.0","v7.16.1","v7.17.0","v7.17.1","v7.17.10","v7.17.11","v7.17.12","v7.17.13","v7.17.14","v7.17.15","v7.17.16","v7.17.17","v7.17.18","v7.17.19","v7.17.2","v7.17.20","v7.17.21","v7.17.22","v7.17.23","v7.17.24","v7.17.3","v7.17.4","v7.17.5","v7.17.6","v7.17.7","v7.17.8","v7.17.9","v8.0.0-alpha1","v8.0.0-alpha2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52979.json","vanir_signatures":[{"id":"CVE-2024-52979-0c1617d3","target":{"function":"testJsonEscapeEncoder","file":"modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/CustomMustacheFactoryTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"71956332809056563880664223486586964683","length":415},"signature_version":"v1"},{"id":"CVE-2024-52979-139f0197","target":{"function":"testValidateWillPassWithEmptyContext","file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"144117584149441582895077635790369464822","length":736},"signature_version":"v1"},{"id":"CVE-2024-52979-1cb67c13","target":{"function":"testRolloverForFreshInstalledIndexTemplate","file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/template/IndexTemplateRegistryTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/12ff76a92922609df4aba61a368e7adf65589749","signature_type":"Function","digest":{"function_hash":"271324003785030329406728368991941391067","length":1652},"signature_version":"v1"},{"id":"CVE-2024-52979-1ee3c94e","target":{"function":"testValidateWillFailWhenStoredScriptIsNotEnabled","file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"39019849195163078364453451016207410144","length":1181},"signature_version":"v1"},{"id":"CVE-2024-52979-2b44eb1e","target":{"function":"init","file":"x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/support/WatcherTemplateTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"49327279215996421982864842442725417674","length":352},"signature_version":"v1"},{"id":"CVE-2024-52979-333be3cd","target":{"file":"modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/CustomMustacheFactoryTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["260724815602827057161342286177331879369","299414520418435272494288839695706879875","335829256322753810474725743173018977790","198411042547988672265206865312720978285","15779814672166499281565761075813349228","46277467755220071900592609424390351156","329228786687257630019199695424718935281","71142104707383942207649566007965511467","226618092523756949690133323679628991533","277459634296988659285413589122364735896","43833142318932596798330563867445185713","13999140027293035083310181413892913952","124588977320519476626865312164560466561"]},"signature_version":"v1"},{"id":"CVE-2024-52979-34603f65","target":{"file":"modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/MustacheScriptEngineTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["217054524057156292207676394995186674373","327768302703017508604682486569004941672","281573697777141312458118871187442064337","309455408978515512922101582695487270046","295481389318677729763671893230986600901","166219367374926842139429060374574144815"]},"signature_version":"v1"},{"id":"CVE-2024-52979-3bf0ea81","target":{"function":"testResolveRoles","file":"x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"151803326117113157585457799975869449748","length":2805},"signature_version":"v1"},{"id":"CVE-2024-52979-3c33c3eb","target":{"file":"x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["116788657788980503460590120729718152462","140217039344956654654139697964715819027","68306334621953786014381747112565645374","24801166495743943226395526232977233157"]},"signature_version":"v1"},{"id":"CVE-2024-52979-4767f946","target":{"function":"testValidateWillFailForSyntaxError","file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"111990246283836147376017136221580968231","length":428},"signature_version":"v1"},{"id":"CVE-2024-52979-4f5edb5b","target":{"file":"modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngine.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["27903402534919546635791598199212766113","202767930690875079314622150558576239219","292749406633197378400834136773885899657","141430915633847606271967343419083194512","25665665366145358368122874853241654402","22463683707409288580481268856080475135","47473509260247958739848763824813536341","133601028643131039637350476030259704996","333505924171825618663039817871097482957","297868719096054393079480554301545342329","242397685812262189735767498840095765614","33067437703239928262509095675286934326","310170204601640840685388468965430677173","125954465490018876807588726586019966968","254598349714001788377917954619669607713","219532954386181260364522796085181762374"]},"signature_version":"v1"},{"id":"CVE-2024-52979-5650d50c","target":{"file":"modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustachePlugin.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["235899548147279606151004696324130254638","265280779188572200127151620888020312366","34886600251018868096240371489786639996","267796651286796079854174790520448593872"]},"signature_version":"v1"},{"id":"CVE-2024-52979-5edb0ea4","target":{"file":"qa/smoke-test-ingest-with-all-dependencies/src/yamlRestTest/java/org/elasticsearch/ingest/AbstractScriptTestCase.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["250455578566233581498805376339838561018","43049344507468769718159273179949187238","7740960689439864754600968723644591351","215100982401377851795135689002797041989"]},"signature_version":"v1"},{"id":"CVE-2024-52979-68d99f95","target":{"function":"testUrlEncoder","file":"modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/CustomMustacheFactoryTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"198373931074114196356306182644999449192","length":440},"signature_version":"v1"},{"id":"CVE-2024-52979-78757b80","target":{"function":"testEvaluateRoles","file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"223760412447585316762464546076035857043","length":914},"signature_version":"v1"},{"id":"CVE-2024-52979-9377addb","target":{"file":"x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["263387662542072824009388131884560621030","86992289067773551865365100514802097971","210966287268628218075563521562566291740","23214285925001973253551710271742601663"]},"signature_version":"v1"},{"id":"CVE-2024-52979-9614dc2d","target":{"file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["254663021826302954445532416611309785357","317705985389165139794914729691248532817","199371003652752454694329406658746181675","165216574118162534959982824576327545423","39164454649212262395848735863829733682","260026933103347080910720455062658806659"]},"signature_version":"v1"},{"id":"CVE-2024-52979-9c22b053","target":{"file":"x-pack/plugin/identity-provider/src/test/java/org/elasticsearch/xpack/idp/saml/sp/WildcardServiceProviderResolverTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["335756385624460509286486142715264171061","288983511741961517629869395403767319999","281645146429849389591590940323596309613","16469418039822154266118585238964052934"]},"signature_version":"v1"},{"id":"CVE-2024-52979-a5144cd2","target":{"function":"testDefaultEncoder","file":"modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/CustomMustacheFactoryTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"48993674583749389708093063397443203701","length":387},"signature_version":"v1"},{"id":"CVE-2024-52979-abfa2278","target":{"file":"x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["258606548703158703357485192177298514436","288983511741961517629869395403767319999","281645146429849389591590940323596309613","290548920894852666947288242126757180887"]},"signature_version":"v1"},{"id":"CVE-2024-52979-b3edaa52","target":{"function":"getScriptEngine","file":"modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustachePlugin.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"129436509418703097069456262700136609437","length":74},"signature_version":"v1"},{"id":"CVE-2024-52979-bb6dba01","target":{"function":"setUpResolver","file":"x-pack/plugin/identity-provider/src/test/java/org/elasticsearch/xpack/idp/saml/sp/WildcardServiceProviderResolverTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"242893088829612024318551359488042963237","length":352},"signature_version":"v1"},{"id":"CVE-2024-52979-c72453d8","target":{"file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["52666119728895058155379919548760972569","265088901494427218796380562849545262970","68306334621953786014381747112565645374","303313610274449737408608142278211407807","155116228379801956478467967631501237755","265088901494427218796380562849545262970","68306334621953786014381747112565645374","287950189616453249951421553085885327629","249434961174674067395602216277173736333","265088901494427218796380562849545262970","68306334621953786014381747112565645374","201267323340808666640761053705481281573","16221604556372078746319496286368655011","265088901494427218796380562849545262970","68306334621953786014381747112565645374","45500231919697018085588020781170198288","32378051555540644080244331983031339354","288983511741961517629869395403767319999","281645146429849389591590940323596309613","8297448396737925616065850053481677587","32378051555540644080244331983031339354","288983511741961517629869395403767319999","281645146429849389591590940323596309613","79521046009440517340384660804322225185","237028476205265727057270613774050047096","265088901494427218796380562849545262970","68306334621953786014381747112565645374","79521046009440517340384660804322225185"]},"signature_version":"v1"},{"id":"CVE-2024-52979-cbf59f4b","target":{"file":"x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/support/WatcherTemplateTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["60222896673207200111669655988747210836","43049344507468769718159273179949187238","10297439231556214893740253186351833188","318734082014954765476378382938327023586"]},"signature_version":"v1"},{"id":"CVE-2024-52979-d54e4993","target":{"file":"modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/MustacheTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["293485663935582047539482180665074715958","7571772693397312765249953124617764230","71457626767536897305977570177194851958","328263911792211895285744295868415133198","118476312088919142371722359428106872110","333817603130987111132605517721006389286"]},"signature_version":"v1"},{"id":"CVE-2024-52979-d6570ab0","target":{"function":"testValidate","file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"330410250175392896987158267940458041752","length":860},"signature_version":"v1"},{"id":"CVE-2024-52979-d87f9cf9","target":{"file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/template/IndexTemplateRegistryTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/12ff76a92922609df4aba61a368e7adf65589749","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["283096809684524733719464503560706069315","28842194477580391204184804338721858211","137933463863149627169573504624691211768","177828051636421706381912229799761361228","326850733919010707140747320441397263875"]},"signature_version":"v1"},{"id":"CVE-2024-52979-d8ab68ef","target":{"function":"testLdapRealmWithTemplatedRoleMapping","file":"x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"335769580348371564303430900720843911607","length":2462},"signature_version":"v1"},{"id":"CVE-2024-52979-e00685c5","target":{"function":"testValidateWillFailWhenStoredScriptIsNotFound","file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"307761132169791170555494532896444494722","length":830},"signature_version":"v1"},{"id":"CVE-2024-52979-e2118008","target":{"function":"execute","file":"modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngine.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"113004378988032560919429469552194850552","length":410},"signature_version":"v1"},{"id":"CVE-2024-52979-eef5181a","target":{"function":"testRealmWithTemplatedRoleMapping","file":"x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"258889622100346978545772620175505937247","length":1879},"signature_version":"v1"},{"id":"CVE-2024-52979-f08c2428","target":{"function":"testValidationWillFailWhenInlineScriptIsNotEnabled","file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"29076598346795565050344845188911097493","length":503},"signature_version":"v1"},{"id":"CVE-2024-52979-f28ae52f","target":{"function":"testDocLevelSecurityTemplateWithOpenIdConnectStyleMetadata","file":"x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"224389385575224432383223227596720385923","length":928},"signature_version":"v1"},{"id":"CVE-2024-52979-fa27532d","target":{"function":"init","file":"qa/smoke-test-ingest-with-all-dependencies/src/yamlRestTest/java/org/elasticsearch/ingest/AbstractScriptTestCase.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"273843737499871966987904892349357433357","length":222},"signature_version":"v1"},{"id":"CVE-2024-52979-fe264b77","target":{"function":"setup","file":"modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/MustacheScriptEngineTests.java"},"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf","signature_type":"Function","digest":{"function_hash":"98812509945891425352471627426913116626","length":75},"signature_version":"v1"}],"vanir_signatures_modified":"2026-04-12T09:58:16Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}