N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-9624

CVE-2025-9624: OpenSearch is vulnerable to DoS via complex query_string inputs

A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs.

This issue affects all OpenSearch versions below 3.2.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-9624

CVE-2025-9624:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opensearch:opensearch-common	maven	< 3.3.0	3.3.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows for a Denial of Service by sending a complex query_string to OpenSearch. The provided patch, found in pull request #19491, introduces a mitigation by adding a length check to the query string. The analysis of the commits associated with this pull request points directly to the org.opensearch.index.search.QueryStringQueryParser.parse method. In commit f63df79004f3ac0d49078466af71df8e19e16787, a check is added to this method to ensure the query string length does not exceed a new configurable setting, search.query.max_query_string_length. Before this change, the method would pass the raw, unchecked query string to the underlying XQueryParser, which would then trigger the DoS condition when processing a very long and complex input. Therefore, the parse method is the entry point for the malicious input and is the function that would appear in a runtime profile during exploitation.

Vulnerable functions

org.opensearch.index.search.QueryStringQueryParser.parse

server/src/main/java/org/opensearch/index/search/QueryStringQueryParser.java

The `parse` method in `QueryStringQueryParser` is responsible for parsing user-supplied query strings. Before the patch, this method did not enforce any limit on the length of the query string. This allowed an attacker to submit an excessively long and complex query. The underlying Lucene parser (`XQueryParser`) would then attempt to process this query, leading to extreme resource consumption (CPU and memory) and causing a Denial of Service (DoS). The patch mitigates this by introducing a check at the beginning of the method to validate the query's length against a configurable limit.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-9624: OpenSearch is vulnerable to DoS via complex query_string inputs

CVE-2025-9624:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-9624: OpenSearch is vulnerable to DoS via complex query_string inputs

N/A

N/A

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI