CVE-2024-47866: 
NixOS vulnerability analysis and mitigation

Ceph, a distributed object, block, and file storage platform, contains a vulnerability (CVE-2024-47866) discovered in versions up to and including 19.2.3. The vulnerability was disclosed on November 11, 2025, affecting the RGW (RADOS Gateway) module. This high-severity vulnerability has been assigned a CVSS v3.1 score of 7.5 (GitHub Advisory, OSS Security).

The vulnerability stems from improper input validation in the RGW module's handling of the x-amz-copy-source argument during object operations. When an empty string is specified as the content for this argument during a PUT object operation, it triggers a crash in the RGW daemon. The issue specifically occurs in the RGWCopyObj::parse_copy_location function. The vulnerability has been classified as CWE-20 (Improper Input Validation) with a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The exploitation of this vulnerability results in a Denial of Service (DoS) condition, making the object storage services (RGW, S3, Swift) unavailable. Notably, while AWS credentials are required for initial bucket and source object creation, the DoS attack can be executed even with unauthenticated S3 sessions (GitHub Advisory).

As of the disclosure date, no patched versions are available. However, the issue has been fixed in an upstream PR and will be backported to other releases. For downstream Ceph implementations, a patch is scheduled to be included in Ceph 8.1z4 (OSS Security).