CVE-2025-37727
Information Exposure vulnerability in elasticsearch (Maven)
What is CVE-2025-37727 About?
This vulnerability in Elasticsearch leads to information exposure by inserting sensitive information into log files during the auditing of reindex API requests. Under specific preconditions, this can result in the loss of confidentiality of sensitive data. Exploitation requires the use of the reindex API with certain configurations and is moderately complex to leverage for data exfiltration.
Affected Software
- org.elasticsearch:elasticsearch
- >9.0.0-beta1, <9.0.8
- >8.19.0, <8.19.5
- >7.0.0, <8.18.8
- >9.1.0, <9.1.5
Technical Details
The vulnerability is an Information Exposure flaw in Elasticsearch related to the auditing of _reindex API requests. When the _reindex API is used, especially with certain configurations or data sources, sensitive information might be inadvertently included in the audit log files. This occurs because the logging mechanism, under specific preconditions, captures and writes data that should have been redacted or not logged at all. An attacker with access to these log files (either directly or through another vulnerability like local file inclusion) could then retrieve sensitive information that was part of the _reindex request or the reindexed data, leading to a loss of confidentiality. The 'specific preconditions' likely relate to the structure of the data being reindexed, the source/destination indices, or audit log configuration settings that permit verbose logging of request bodies or parameters.
What is the Impact of CVE-2025-37727?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information from log files, leading to data leakage and loss of confidentiality.
What is the Exploitability of CVE-2025-37727?
Exploitation of this vulnerability requires the use of the Elasticsearch _reindex API under specific configurations that cause sensitive information to be logged. The complexity is moderate, as it requires knowledge of Elasticsearch's logging mechanisms and the _reindex API's behavior. Authentication to Elasticsearch is required to perform reindex operations and likely to access log files, meaning this would likely be performed by an authenticated user with at least some level of privilege. This is potentially a remote or local vulnerability depending on how log files are exposed and whether the _reindex API is accessible remotely. Special conditions include the specific _reindex request content and Elasticsearch's audit log configuration. The likelihood of exploitation increases if audit logs are not properly secured, if verbose logging is enabled for sensitive operations, and if the reindex API handles data that inherently contains confidential information without sanitization for logging purposes.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-37727?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- >7.0.0, <8.18.8 → Upgrade to 8.18.8
- org.elasticsearch:elasticsearch
- >8.19.0, <8.19.5 → Upgrade to 8.19.5
- org.elasticsearch:elasticsearch
- >9.0.0-beta1, <9.0.8 → Upgrade to 9.0.8
- org.elasticsearch:elasticsearch
- >9.1.0, <9.1.5 → Upgrade to 9.1.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.elastic.co/t/elasticsearch-8-18-8-8-19-5-9-0-8-9-1-5-security-update-esa-2025-18/382453
- https://discuss.elastic.co/t/elasticsearch-8-18-8-8-19-5-9-0-8-9-1-5-security-update-esa-2025-18/382453
- https://www.elastic.co/guide/en/elasticsearch/reference/8.18/release-notes-8.18.8.html
- https://github.com/elastic/elasticsearch
- https://nvd.nist.gov/vuln/detail/CVE-2025-37727
- https://osv.dev/vulnerability/GHSA-56r7-h6mw-rcfv
- https://github.com/elastic/elasticsearch/commit/e982eef416a5e1c2a4e94236d7d3b33b5c8d07db
What are Similar Vulnerabilities to CVE-2025-37727?
Similar Vulnerabilities: CVE-2023-45136 , CVE-2022-23507 , CVE-2021-43285 , CVE-2020-24750 , CVE-2019-12093
