5.9

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-3xgr-h5hq-7299

EPSS Score

CWE

CWE-295

Published

10/15/2025

Updated

10/15/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-3xgr-h5hq-7299

GHSA-3xgr-h5hq-7299: GeoIP processor disables SSL certificate validation when downloading databases

Impact

The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading GeoIP databases from HTTP URLs, making downloads vulnerable to man-in-the-middle attacks.

The GeoIP processor included a custom SSL implementation that completely bypassed certificate validation when downloading GeoIP databases from external sources. The initiateSSL() method incorrectly implemented an approach for trusting all certificates. Specifically it:

Accepted all SSL certificates without validation
Disabled server certificate verification
Disabled client certificate verification
Disabled hostname verification

This configuration made database downloads vulnerable to man-in-the-middle attacks, potentially allowing attackers to serve malicious GeoIP databases that could compromise the integrity of geolocation data processing.

Patches

Data Prepper 2.12.2 contains a fix for this issue.

Workarounds

If upgrading is not immediately possible:

Use local GeoIP database files instead of downloading from HTTP URLs
Ensure database downloads occur only over trusted networks

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-3xgr-h5hq-7299

EPSS Score

CWE

CWE-295

Published

10/15/2025

Updated

10/15/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opensearch.dataprepper.plugins:geoip-processor	maven	>= 2.7.0, < 2.12.2	2.12.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is caused by a custom and insecure SSL implementation in the GeoIP processor of Data Prepper. The DBSource.initiateSSL() method was created to intentionally bypass SSL certificate and hostname verification during the download of GeoIP databases. This method was called by HttpDBDownloadService.initiateDownload(), which is responsible for fetching the database from a URL. This creates a Man-in-the-Middle (MITM) vulnerability, allowing an attacker to intercept the connection and provide a malicious GeoIP database. The patch addresses this by completely removing the initiateSSL() method and its call from HttpDBDownloadService.initiateDownload(), thereby ensuring that the standard and secure Java TLS implementation is used for all HTTPS connections. The primary vulnerable function is DBSource.initiateSSL() due to its insecure implementation, and HttpDBDownloadService.initiateDownload() is the function that triggers the vulnerability by calling it.

Vulnerable functions

org.opensearch.dataprepper.plugins.geoip.extension.databasedownload.DBSource.initiateSSL

data-prepper-plugins/geoip-processor/src/main/java/org/opensearch/dataprepper/plugins/geoip/extension/databasedownload/DBSource.java

This function implements a custom SSL context that explicitly disables certificate and hostname verification. It creates a `TrustManager` that accepts all server certificates and a `HostnameVerifier` that accepts all hostnames. This makes any HTTPS connection using this configuration vulnerable to Man-in-the-Middle (MITM) attacks.

org.opensearch.dataprepper.plugins.geoip.extension.databasedownload.HttpDBDownloadService.initiateDownload

data-prepper-plugins/geoip-processor/src/main/java/org/opensearch/dataprepper/plugins/geoip/extension/databasedownload/HttpDBDownloadService.java

This function calls the insecure `initiateSSL()` method before downloading the GeoIP database. By calling `initiateSSL()`, it makes the entire database download process vulnerable to MITM attacks, as SSL certificate validation is disabled. The patch removes this call.

WAF Protection Rules

WAF Rule

### Imp**t T** **oIP pro**ssor in **t* Pr*pp*r w*s *on*i*ur** to trust *ll SSL **rti*i**t*s *n* *is**l* *ostn*m* v*ri*i**tion w**n *ownlo**in* **oIP **t***s*s *rom *TTP URLs, m*kin* *ownlo**s vuln*r**l* to m*n-in-t**-mi**l* *tt**ks. T** **oIP pro**

Reasoning

T** vuln*r**ility is **us** *y * *ustom *n* ins**ur* SSL impl*m*nt*tion in t** **oIP pro**ssor o* **t* Pr*pp*r. T** `**Sour**.initi*t*SSL()` m*t*o* w*s *r**t** to int*ntion*lly *yp*ss SSL **rti*i**t* *n* *ostn*m* v*ri*i**tion *urin* t** *ownlo** o* *

5.9

Basic Information

Concerned about an active attack path?

GHSA-3xgr-h5hq-7299: GeoIP processor disables SSL certificate validation when downloading databases

Impact

Patches

Workarounds

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI