6.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-37731

CVE-2025-37731: Elasticsearch PKI Realm Authentication Bypass Vulnerability Allows User Impersonation Through Crafted Client Certificates

Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-37731

CVE-2025-37731:

6.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.elasticsearch:elasticsearch	maven	>= 7.0.0-alpha1, < 8.19.8	8.19.8
org.elasticsearch:elasticsearch	maven	>= 9.0.0-beta1, < 9.1.8	9.1.8
org.elasticsearch:elasticsearch	maven	>= 9.2.0, < 9.2.2	9.2.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the PKI authentication realm of Elasticsearch, where the user's identity (principal) is extracted from a client X.509 certificate. The root cause is the use of a regular expression on the string representation of the certificate's Subject Distinguished Name (DN) within the getPrincipalFromSubjectDN function. This method is fundamentally insecure because the string representation of a DN is not guaranteed to be unambiguous and can be manipulated by an attacker who can control the fields of a certificate to be signed by a trusted Certificate Authority.

The patch addresses this by introducing a new, safer method of principal extraction. A new class, RdnFieldExtractor, is added, which parses the DER-encoded ASN.1 structure of the DN to extract a specific attribute (RDN) by its Object Identifier (OID). This is a robust method that is not susceptible to the ambiguities of string representation. The PkiRealm is modified to use this new extractor when configured via new settings (username_rdn_oid or username_rdn_name), falling back to the old, vulnerable regex-based method only for backward compatibility. The key functions authenticate and token in PkiRealm were updated to use this new, safer logic. An attacker could exploit this by presenting a crafted certificate, causing the vulnerable getPrincipalFromSubjectDN function to be called, leading to user impersonation.

Vulnerable functions

org.elasticsearch.xpack.security.authc.pki.PkiRealm.getPrincipalFromSubjectDN

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java

This function extracts the principal from a certificate's subject DN using a regular expression on the string representation of the DN. This method is vulnerable because the string representation of a DN can be ambiguous. An attacker with a certificate signed by a trusted CA could craft the DN fields in a way that the regex extracts a different user's principal, leading to impersonation. For example, a crafted Common Name (CN) could include characters that manipulate the regex matching, like a comma.

org.elasticsearch.xpack.security.authc.pki.PkiRealm.authenticate

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java

This is the main authentication method for the PKI realm. It orchestrates the authentication process using a client certificate. In vulnerable versions, it directly calls the `getPrincipalFromSubjectDN` function, which unsafely parses the user principal. Therefore, this function is a critical part of the attack chain, as it's the entry point for processing the malicious certificate.

org.elasticsearch.xpack.security.authc.pki.PkiRealm.token

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java

This method is responsible for creating an `X509AuthenticationToken` from the client certificate provided in the thread context. It calls the vulnerable `getPrincipalFromSubjectDN` function to extract the principal that will be embedded in the authentication token. This makes it an initial step in the vulnerable authentication flow.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-37731: Elasticsearch PKI Realm Authentication Bypass Vulnerability Allows User Impersonation Through Crafted Client Certificates

CVE-2025-37731:

6.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

6.8

6.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-37731: Elasticsearch PKI Realm Authentication Bypass Vulnerability Allows User Impersonation Through Crafted Client Certificates

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI