Vulnerability Details CVE-2025-30373
Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless. To mitigate the vulnerability, disable http-based inputs and allow only authenticated pull-based inputs. This vulnerability is fixed in 6.1.9.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 1.9%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2025-30373
-
cpe:2.3:a:graylog:graylog:6.1.0
-
cpe:2.3:a:graylog:graylog:6.1.1
-
cpe:2.3:a:graylog:graylog:6.1.2
-
cpe:2.3:a:graylog:graylog:6.1.3
-
cpe:2.3:a:graylog:graylog:6.1.4
-
cpe:2.3:a:graylog:graylog:6.1.5
-
cpe:2.3:a:graylog:graylog:6.1.6
-
cpe:2.3:a:graylog:graylog:6.1.7
-
cpe:2.3:a:graylog:graylog:6.1.8