On what version of logstash has fix for issue AIKIDO-2024-10428

Saikiran_Pulijala · December 5, 2025, 6:54am

Hello there,

Our internal container image scanning tool has flagged a vulnerability related to JRuby’s StringIO library bundled with Logstash 8.19.7.

Issue Details

A vulnerability was reported in StringIO, where the methods

StringIO#ungetc and
StringIO#ungetbyte
may use uninitialized memory, leading to potential memory corruption or unexpected behavior.

Our scan indicates that Logstash 8.19.7 includes stringio 3.0.8, while the patched version is 3.1.2 or later.

Request

Could you please clarify:

Which Logstash version includes JRuby with StringIO ≥ 3.1.2?
Is there any official documentation listing components or Ruby/JRuby gem versions bundled with each Logstash release?
If a fix is pending, is there an expected timeline or workaround (e.g., manual override, plugin update, custom JRuby upgrade)?

I have not found publicly available information detailing the specific JRuby/StringIO versions packaged with each Logstash build, so guidance would be highly appreciated.

Thanks in advance for your support!

Thanks & Regards,

Saikiran

leandrojmp · December 5, 2025, 12:50pm

As mentioned on the Community Slack, you need to send this to security@elastic.co for them to validate if this is impact Logstash or not.

Topic		Replies	Views
While updating logstash 1.4.2 we encounter - Unable to find JRuby error Logstash	27	6886	July 6, 2017
Ruby errors after updating logstash-input-s3 to 2.0.3 Logstash	2	802	July 6, 2017
Logstash on IBM AIX Logstash	4	5031	July 6, 2017
Newer versions of Logstash failing on Solaris Logstash	1	705	December 6, 2018
Logstash 1.5.1 crashing Logstash	6	1806	July 6, 2017

On what version of logstash has fix for issue AIKIDO-2024-10428

Issue Details

Request

Related topics