GHSA-xv9w-7v6q-hpjh

The `fluent-plugin-s3` plugin (specifically the `in_s3` input plugin) supports reading and decompressing heavily compressed files (such as `gzip`, `lzma2`, and `lzop`) from Amazon S3. It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limit.

If an attacker has sufficient permissions to upload files to the monitored S3 bucket, they can upload a maliciously crafted, highly compressed file. When Fluentd attempts to decompress this file, it will expand to an excessive size and it will consume significant system resources.

### Impact This vulnerability allows for a **Denial of Service (DoS)** attack via memory exhaustion. The rapid memory consumption during decompression can lead to an Out-of-Memory kill of the Fluentd process by the operating system, This results in the disruption of all log collection on the affected node.

### Patches v1.8.5

### Workarounds If an immediate upgrade is not possible, mitigate the risk by applying strict IAM access controls:

1. Restrict Bucket Access * Ensure that write (PUT) access to the S3 bucket monitored by `in_s3` is strictly limited to trusted services and administrators. Prevent any public or untrusted uploads to the S3 bucket.