CVE-2024-58102 – This vulnerability in Datalust Seq allows attac... (How to Fix)

Q: What is the severity of CVE-2024-58102?

CVE-2024-58102 has a CVSS score of 5.7 (MEDIUM). This vulnerability in Datalust Seq allows attackers to cause denial of service through stack exhaustion by submitting queries with deeply nested expressions. It affects all Seq instances before version 2024.3.13545 that accept user queries. The insecure default parsing depth limit enables resource exhaustion attacks.

📋 TL;DR

This vulnerability in Datalust Seq allows attackers to cause denial of service through stack exhaustion by submitting queries with deeply nested expressions. It affects all Seq instances before version 2024.3.13545 that accept user queries. The insecure default parsing depth limit enables resource exhaustion attacks.

💻 Affected Systems

Products:

Datalust Seq

Versions: All versions before 2024.3.13545

Operating Systems: All supported platforms (Windows, Linux, Docker)

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability exists in the query parsing engine and affects any instance accepting user queries.

📦 What is this software?

Seq by Datalust

View all CVEs affecting Seq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to stack exhaustion, requiring manual restart of Seq service and potential data loss if queries aren't properly queued.

🟠

Likely Case

Temporary service degradation or crashes when malicious queries are processed, impacting query functionality and potentially affecting dependent applications.

🟢

If Mitigated

Minimal impact with proper query validation, rate limiting, and monitoring in place to detect and block malicious patterns.

🌐 Internet-Facing: MEDIUM - While exploitation requires query submission capability, internet-facing Seq instances are exposed to automated scanning and attack attempts.

🏢 Internal Only: LOW - Internal-only deployments reduce attack surface, though insider threats or compromised internal systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to submit queries to Seq. No authentication bypass is needed beyond normal query submission permissions. The attack is straightforward once query submission capability is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.3.13545 and later

Vendor Advisory: https://github.com/datalust/seq-tickets/issues/2367

Restart Required: Yes

Instructions:

1. Backup your Seq configuration and data. 2. Download Seq 2024.3.13545 or later from datalust.co/seq. 3. Stop the Seq service. 4. Install the updated version. 5. Restart the Seq service. 6. Verify functionality and monitor for issues.

🔧 Temporary Workarounds

Query Depth Limiting

all

Implement custom middleware or proxy rules to reject queries exceeding reasonable nesting depth before they reach Seq.

# Example nginx rule to block deep queries
location /api/events/query { 
    if ($request_body ~* "\{[^{}]*\{[^{}]*\}[^{}]*\}") { 
        return 400; 
    } 
}

Rate Limiting

all

Implement strict rate limiting on query endpoints to prevent rapid exploitation attempts.

# Example using Seq's built-in rate limiting
# Configure in Seq appsettings.json:
"Api": {
    "RateLimiting": {
        "Enabled": true,
        "RequestsPerMinute": 60
    }
}

🧯 If You Can't Patch

Implement network segmentation to restrict query submission to trusted sources only
Deploy WAF or reverse proxy with rules to detect and block deeply nested JSON patterns

🔍 How to Verify

Check if Vulnerable:

Check Seq version via web interface (Settings > About) or command line: seq version

Check Version:

seq version

Verify Fix Applied:

Verify version is 2024.3.13545 or later and test with sample deeply nested queries to ensure proper rejection

📡 Detection & Monitoring

Log Indicators:

Stack overflow errors in Seq logs
Unusually large query payloads
Rapid sequence of query failures
High memory consumption alerts

Network Indicators:

Large POST requests to /api/events/query endpoint
Rapid query submissions from single source
Patterns of deeply nested JSON in traffic

SIEM Query:

source="seq" AND ("stack overflow" OR "out of memory" OR "query failed") AND uri_path="/api/events/query"

📊 Metadata

CVE ID: CVE-2024-58102

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-674

EPSS Score: 0.07% exploit probability (22.1th percentile)

Published: March 11, 2025

Last Updated: October 10, 2025

🔗 References

https://datalust.co/seq Product
https://github.com/datalust/seq-tickets/issues/2086 Issue Tracking
https://github.com/datalust/seq-tickets/issues/2367 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-58102, you might also want to check these: