CVE-2025-27911 – This vulnerability in Datalust Seq allows attac... (How to Fix)

Q: What is the severity of CVE-2025-27911?

CVE-2025-27911 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Datalust Seq allows attackers to bypass event body size limits by exploiting identifier expansion in message templates. This can lead to resource exhaustion through disk space depletion or out-of-memory server crashes. Organizations running vulnerable versions of Seq are affected.

📋 TL;DR

This vulnerability in Datalust Seq allows attackers to bypass event body size limits by exploiting identifier expansion in message templates. This can lead to resource exhaustion through disk space depletion or out-of-memory server crashes. Organizations running vulnerable versions of Seq are affected.

💻 Affected Systems

Products:

Datalust Seq

Versions: All versions before 2024.3.13545

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable; the issue affects the core message template processing functionality.

📦 What is this software?

Seq by Datalust

View all CVEs affecting Seq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server outage due to out-of-memory termination or disk space exhaustion, potentially causing service disruption and data loss.

🟠

Likely Case

Degraded performance and intermittent service interruptions due to resource exhaustion, requiring manual intervention to restore normal operations.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits, though some performance degradation may still occur during attack attempts.

🌐 Internet-Facing: HIGH - Internet-facing Seq instances are directly exposed to exploitation attempts that could cause denial of service.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require attacker access to internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability appears straightforward to exploit by crafting malicious message templates that trigger excessive identifier expansion.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.3.13545 and later

Vendor Advisory: https://github.com/datalust/seq-tickets/issues/2365

Restart Required: Yes

Instructions:

1. Backup your Seq configuration and data. 2. Upgrade to Seq version 2024.3.13545 or later. 3. Restart the Seq service. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Reduce Event Body Limit

all

Lower the maximum allowed event body size to limit potential damage from exploitation

seq config set -k "Seq:RawEventBodyLimitBytes" -v "1048576"

Implement Rate Limiting

all

Add network-level rate limiting to restrict the volume of incoming events

🧯 If You Can't Patch

Implement strict network segmentation to isolate Seq instances from untrusted networks
Deploy monitoring and alerting for abnormal memory/disk usage patterns

🔍 How to Verify

Check if Vulnerable:

Check the Seq version; if it's earlier than 2024.3.13545, the system is vulnerable.

Check Version:

seq version

Verify Fix Applied:

Confirm the version is 2024.3.13545 or later and test that large identifier expansions no longer bypass body limits.

📡 Detection & Monitoring

Log Indicators:

Unusually large event processing times
Memory allocation errors
Disk space warnings
Server restart events

Network Indicators:

Spikes in incoming event volume
Patterns of repeated template submissions with large identifiers

SIEM Query:

source="seq" AND (event_size > threshold OR memory_usage > threshold) | stats count by host

📊 Metadata

CVE ID: CVE-2025-27911

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.15% exploit probability (36.2th percentile)

Published: March 11, 2025

Last Updated: October 10, 2025

🔗 References

https://datalust.co/seq Product
https://github.com/datalust/seq-tickets/issues/2365 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27911, you might also want to check these: