Logstash fixes GeoIP update path traversal file write
TL;DR — A Logstash path traversal in its GeoIP update flow can let attackers write arbitrary files (and sometimes reach RCE) if they can influence the GeoIP database update endpoint.
What happened
Logstash is Elastic’s data processing pipeline used to ingest, transform, and forward logs/events (commonly into Elasticsearch). Elastic published ESA-2026-29 describing CWE-22 path traversal in Logstash’s archive extraction utilities, where compressed archives are not validated for unsafe file paths.
Per Elastic, an attacker who can serve a specially crafted archive through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. The advisory notes this can become remote code execution in certain configurations (notably where automatic pipeline reloading is enabled).
| Item | Source value |
|---|---|
| Affected component | Archive extraction utilities used by Logstash (GeoIP database downloader/update flow) |
| Impact (per advisory) | Arbitrary file write; potentially remote code execution |
| Severity (source) | CVSS v3.1 8.1 (High) |
This is a classic high-leverage pattern: archive extraction + update channels create a “supply-chain-adjacent” path to filesystem writes, and filesystem writes in pipeline systems often become code execution via configuration reload paths.
Who is impacted
- Logstash deployments in the affected version ranges listed by Elastic:
| Logstash major line | Affected versions (per advisory) | Fixed versions (per advisory) |
|---|---|---|
| 8.x | 8.0.0 through 8.19.13 (inclusive) | 8.19.14 |
| 9.x | 9.0.0 through 9.2.7 (inclusive) | 9.2.8 |
| 9.x | 9.3.0 through 9.3.2 (inclusive) | 9.3.3 |
- Deployments with GeoIP database downloader enabled and configured to use an external update endpoint.
- Higher-risk configurations called out by Elastic where:
- automatic pipeline configuration reloading is enabled, and
- the pipeline configuration directory is writable by the Logstash process.
What to do now
- Follow vendor remediation guidance and apply a fixed release referenced in the advisory.
"The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3."
- If you cannot upgrade immediately, apply Elastic’s mitigations (as applicable to your environment):
- Disable the GeoIP downloader.
"Disable the GeoIP database downloader by setting
xpack.geoip.downloader.enabled: falsein the Logstash configuration." - Ensure the GeoIP downloader endpoint is HTTPS and trusted.
"Ensure the GeoIP downloader endpoint uses HTTPS and points to a trusted source."
- Reduce exposure of “write-then-load” paths.
"Disable automatic pipeline configuration reloading to prevent code execution via written files."
- Tighten filesystem permissions for the Logstash runtime.
"Restrict filesystem write permissions for the Logstash process to only necessary directories."
- Disable the GeoIP downloader.
- Treat this as an integrity incident if you have externalized GeoIP updates: review for unexpected writes and suspicious downloader activity.
- Elastic recommends checking for "unexpected files written outside the GeoIP database directory" and reviewing logs for GeoIP downloads from unexpected endpoints.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.