7.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62371

GHSA ID

GHSA-43ff-rr26-8hx4

EPSS Score

CWE

CWE-295

Published

10/15/2025

Updated

10/15/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62371

CVE-2025-62371: OpenSearch Data Prepper plugins trust all SSL certificates by default

Impact

The OpenSearch sink and source plugins in Data Prepper are configured to trust all SSL certificates by default when no certificate path was provided, making connections vulnerable to man-in-the-middle attacks.

Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypassed SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks.

The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided.

Patches

Data Prepper 2.12.2

Workarounds

If you cannot immediately upgrade to the fixed version, you can implement the following workaround.

OpenSearch sink

Add the cert parameter to your OpenSearch sink configuration with the path to your cluster's CA certificate. The following example shows how to accomplish this.

sink:
  - opensearch:
      hosts: ["https://your-opensearch-cluster:9200"]
      cert: /path/to/your/ca-certificate.pem

OpenSearch source

Add the cert parameter to your OpenSearch sink configuration with the path to your cluster's CA certificate. The following example shows how to accomplish this.

sink:
  - opensearch:
      hosts: ["https://your-opensearch-cluster:9200"]
      connection:
        cert: /path/to/your/ca-certificate.pem

References

N/A

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62371

CVE-2025-62371:

7.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62371

GHSA ID

GHSA-43ff-rr26-8hx4

EPSS Score

CWE

CWE-295

Published

10/15/2025

Updated

10/15/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opensearch.dataprepper.plugins:opensearch	maven	< 2.12.2	2.12.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the default behavior of several plugins within OpenSearch Data Prepper, which was to disable SSL/TLS certificate validation when no specific certificate was provided in the configuration. This created an insecure-by-default setup, making connections to OpenSearch clusters and other external services vulnerable to Man-in-the-Middle (MITM) attacks. An attacker could intercept and tamper with data in transit.

The analysis of the provided patches shows a consistent pattern of fixing this issue. The core of the vulnerability was in methods responsible for creating SSL contexts and trust managers, such as attachSSLContext and createTrustManagers in the OpenSearch sink and source plugins, and initiateSSL in the GeoIP plugin.

Previously, these methods would instantiate and configure a 'trust-all' manager if a certificate path was absent. The patches rectify this by introducing a mandatory insecure boolean flag. The insecure 'trust-all' behavior is now only activated if this flag is explicitly set to true in the configuration. If the flag is false or absent, the plugins now default to standard, secure TLS validation.

The identified vulnerable functions are the ones that previously implemented this insecure default. During exploitation, a profiler would show these functions being called as part of the connection setup process to OpenSearch or while the GeoIP plugin attempts to download its database.

Vulnerable functions

org.opensearch.dataprepper.plugins.sink.opensearch.ConnectionConfiguration.attachSSLContext

data-prepper-plugins/opensearch/src/main/java/org/opensearch/dataprepper/plugins/sink/opensearch/ConnectionConfiguration.java

The method `attachSSLContext` in `ConnectionConfiguration` for the OpenSearch sink would default to using a 'trust all' SSL strategy if a certificate path was not provided. This made the connection vulnerable to Man-in-the-Middle (MITM) attacks by default. The patch corrects this by only using the trust-all strategy when the 'insecure' option is explicitly set to true.

org.opensearch.dataprepper.plugins.sink.opensearch.ConnectionConfiguration.createTrustManagers

data-prepper-plugins/opensearch/src/main/java/org/opensearch/dataprepper/plugins/sink/opensearch/ConnectionConfiguration.java

The `createTrustManagers` method would return a `X509TrustAllManager`, which disables certificate validation, if no certificate path was provided. This was the default behavior. The patch modifies this method to only return the insecure trust manager if the `insecure` flag is explicitly set to true.

org.opensearch.dataprepper.plugins.source.opensearch.worker.client.OpenSearchClientFactory.createTrustManagers

data-prepper-plugins/opensearch/src/main/java/org/opensearch/dataprepper/plugins/source/opensearch/worker/client/OpenSearchClientFactory.java

The `createTrustManagers` method for the OpenSearch source would default to a trust-all manager if no certificate was configured. This made the source's connection to OpenSearch insecure by default. The patch ensures the trust-all manager is only used when the connection is explicitly configured as insecure.

org.opensearch.dataprepper.plugins.geoip.extension.databasedownload.DBSource.initiateSSL

data-prepper-plugins/geoip-processor/src/main/java/org/opensearch/dataprepper/plugins/geoip/extension/databasedownload/DBSource.java

The `initiateSSL` method in the `DBSource` interface installed a global `SSLSocketFactory` and `HostnameVerifier` that trusted all certificates and hosts. This method was called before downloading GeoIP databases, making the download process vulnerable to MITM attacks. The patch completely removes this insecure method.

org.opensearch.dataprepper.plugins.geoip.extension.databasedownload.HttpDBDownloadService.initiateDownload

data-prepper-plugins/geoip-processor/src/main/java/org/opensearch/dataprepper/plugins/geoip/extension/databasedownload/HttpDBDownloadService.java

This method was vulnerable because it called the `DBSource.initiateSSL()` method, which globally disabled SSL/TLS certificate and hostname validation. The patch removes this call, ensuring that the database download uses secure, default TLS settings.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62371: OpenSearch Data Prepper plugins trust all SSL certificates by default

Impact

Patches

Workarounds

OpenSearch sink

OpenSearch source

References

CVE-2025-62371:

7.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

7.4

7.4

Basic Information

Basic Information

CVE-2025-62371: OpenSearch Data Prepper plugins trust all SSL certificates by default

Impact

Patches

Workarounds

OpenSearch sink

OpenSearch source

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI