Miggo Logo
Miggo Vulnerability Database
CVE-2025-37727

CVE-2025-37727: Elasticsearch: Insertion of Sensitive Information into Log File via reindex API

5.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-37727
GHSA ID
GHSA-56r7-h6mw-rcfv
EPSS Score
0.03411%
CWE
CWE-532
Published
10/10/2025
Updated
10/11/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.elasticsearch:elasticsearchmaven>= 7.0.0, < 8.18.88.18.8
org.elasticsearch:elasticsearchmaven>= 8.19.0, < 8.19.58.19.5
org.elasticsearch:elasticsearchmaven>= 9.0.0-beta1, < 9.0.89.0.8
org.elasticsearch:elasticsearchmaven>= 9.1.0, < 9.1.59.1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability, CVE-2025-37727, is a case of sensitive information being inserted into log files. This occurs when Elasticsearch's audit logging feature is enabled and a _reindex API call with a remote source is made. The root cause of the vulnerability lies in the incomplete filtering of the request body before it is logged.

The investigation of the patch e982eef416a5e1c2a4e94236d7d3b33b5c8d07db reveals that the RestReindexAction class, which handles the _reindex REST endpoint, had an inadequate filtering mechanism.

Previously, the class implemented the getFilteredFields method, which returned a hardcoded set of fields to be removed from the request before logging. The evidence shows that this set only contained "source.remote.host.password". It failed to include the headers field within the remote object, which could contain sensitive credentials like API keys or authentication tokens.

When a _reindex request was processed for auditing, the default implementation of RestRequestFilter.getFilteredRequest would be used, which in turn called RestReindexAction.getFilteredFields. Due to the incomplete set of filtered fields, any sensitive data in the headers would bypass this filtering and end up in the audit logs.

The patch addresses this by overriding the getFilteredRequest method directly within RestReindexAction. The new implementation inspects the request body and explicitly redacts the values of both the password and headers fields, replacing them with "::es-redacted::". This ensures that even if these fields are present, their sensitive values are not exposed in the logs.

Therefore, the vulnerable function is org.elasticsearch.reindex.RestReindexAction.getFilteredFields because its insufficient implementation was the direct cause of the information leak. Any security engineer with this CVE in their environment should be aware that their audit logs may contain sensitive credentials if they have used the remote reindex feature with authentication headers.

Vulnerable functions

org.elasticsearch.reindex.RestReindexAction.getFilteredFields
modules/reindex/src/main/java/org/elasticsearch/reindex/RestReindexAction.java
This function was responsible for defining which fields in a `reindex` request should be filtered before being written to audit logs. The implementation was incomplete as it only specified the `source.remote.host.password` field for filtering, and completely omitted other sensitive information like `source.remote.headers`. This resulted in sensitive data, such as authentication tokens passed in headers, being logged in clear text.

WAF Protection Rules

WAF Rule

Ins*rtion o* s*nsitiv* in*orm*tion in lo* *il* in *l*sti*s**r** **n l*** to loss o* *on*i**nti*lity un**r sp**i*i* pr**on*itions w**n *u*itin* r*qu*sts to t** r*in**x *PI *ttps://www.*l*sti*.*o/*o*s/*pi/*o*/*l*sti*s**r**/op*r*tion/op*r*tion-r*in**x

Reasoning

T** vuln*r**ility, *V*-****-*****, is * **s* o* s*nsitiv* in*orm*tion **in* ins*rt** into lo* *il*s. T*is o**urs w**n *l*sti*s**r**'s *u*it lo**in* ***tur* is *n**l** *n* * `_r*in**x` *PI **ll wit* * r*mot* sour** is m***. T** root **us* o* t** vuln*