CVE-2024-2689

Name of the Vulnerable Software and Affected Versions Temporal Server versions prior to 1.20.5 Temporal Server versions prior to 1.21.6 Temporal Server versions prior to 1.22.7

Description The issue allows an authenticated user with permissions to interact with workflows to potentially cause a crashloop by submitting an invalid UTF-8 string. This can lead to a task becoming stuck in the queue, causing an increase in queue lag. Eventually, all processes handling these queues will become stuck, and the system will run out of resources. The workflow ID of the failing task is visible in the logs and can be used to remove that workflow as a mitigation.

Recommendations For versions prior to 1.20.5, consider removing the workflow with the failing task ID from the logs to mitigate the issue. For versions prior to 1.21.6, consider removing the workflow with the failing task ID from the logs to mitigate the issue. For versions prior to 1.22.7, consider removing the workflow with the failing task ID from the logs to mitigate the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.