6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68384

CVE-2025-68384: Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68384

CVE-2025-68384:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.elasticsearch.plugin:x-pack-security	maven	< 8.19.9	8.19.9
org.elasticsearch.plugin:x-pack-security	maven	>= 9.0.0, < 9.1.9	9.1.9
org.elasticsearch.plugin:x-pack-security	maven	>= 9.2.0, < 9.2.3	9.2.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the lack of input validation on the size of user profile data. The provided patches clearly show that the updateProfileData method in org.elasticsearch.xpack.security.profile.ProfileService is the point where this vulnerability is addressed. The original implementation of this method processed user profile updates without any size checks. The patch rectifies this by introducing a new setting xpack.security.profile.max_size and a new method validateProfileSize which is called from within updateProfileData. An attacker exploiting this vulnerability would be calling the API endpoint that triggers the updateProfileData method, making it the primary function that would appear in a runtime profile during exploitation. The other changes in the commits are supporting changes for this fix, such as adding the setting and test cases.

Vulnerable functions

org.elasticsearch.xpack.security.profile.ProfileService.updateProfileData

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/profile/ProfileService.java

The `updateProfileData` function is responsible for handling updates to user profiles. Prior to the patch, this function did not validate the size of the incoming `UpdateProfileDataRequest`. This allowed an authenticated user to send a request with an excessively large payload, leading to an OutOfMemoryError on the server and causing a denial of service. The patch introduces a call to the new `validateProfileSize` function, which checks the size of the profile data against a configurable limit before processing the update.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68384: Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data

CVE-2025-68384:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-68384: Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.5

6.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI