Base Score

MEDIUM5.7

CVE-2025-37727

Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex

VectorADJACENT_NETWORK

Published Bysecurity@elastic.co

Published DateOct 10, 2025, 10:15

Affected Versions(4)

org.elasticsearch:elasticsearch(Maven)

Introduced7.0.0

Fixed8.18.8

LimitN/A

org.elasticsearch:elasticsearch(Maven)

Introduced8.19.0

Fixed8.19.5

LimitN/A

org.elasticsearch:elasticsearch(Maven)

Introduced9.0.0-beta1

Fixed9.0.8

LimitN/A

org.elasticsearch:elasticsearch(Maven)

Introduced9.1.0

Fixed9.1.5

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.elasticsearch:elasticsearch(Maven)	7.0.0	8.18.8	N/A
org.elasticsearch:elasticsearch(Maven)	8.19.0	8.19.5	N/A
org.elasticsearch:elasticsearch(Maven)	9.0.0-beta1	9.0.8	N/A
org.elasticsearch:elasticsearch(Maven)	9.1.0	9.1.5	N/A

Weakness Type (CWE):CWE-532

CVSS Metrics

Base Score

5.7

Vector String

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

ADJACENT_NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

https://discuss.elastic.co/t/elasticsearch-8-18-8-8-19-5-9-0-8-9-1-5-security-update-esa-2025-18/382453

Base Score

MEDIUM5.7

Weakness Type (CWE):CWE-532

CVSS Metrics

Base Score

5.7

Vector String

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

ADJACENT_NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE