CVE-2025-37727

Published: Oct 10, 2025Modified: Dec 23, 2025

5.7

Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.1 / Impact: 3.6

Source: security@elastic.co (Secondary)

Description

Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex

Affected (5)

Products: Elastic: Elasticsearch

Elastic

1 product

Elasticsearch

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Elastic Elasticsearch	From 7.0.0 to 7.17.29
Elastic Elasticsearch	From 8.0.0 to 8.18.8
Elastic Elasticsearch	From 8.19.0 to 8.19.5
Elastic Elasticsearch	From 9.0.0 to 9.0.8
Elastic Elasticsearch	From 9.1.0 to 9.1.5

Related CWEs

CWE-532

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (1)

https://discuss.elastic.co/t/elasticsearch-8-18-8-8-19-5-9-0-8-9-1-5-security-update-esa-2025-18/382453

Source: security@elastic.co

Vendor Advisory

Timeline

No history available yet.