5.7

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-rrmm-wq7q-h4v5

EPSS Score

CWE

CWE-200

Published

8/1/2025

Updated

8/1/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-rrmm-wq7q-h4v5

GHSA-rrmm-wq7q-h4v5: OpenSearch unauthorized data access on fields protected by field masking for fields of type ip, geo_point, geo_shape, xy_point, xy_shape

Impact

OpenSearch versions 2.19.2 and earlier improperly apply field masking rules on fields of the types ip, geo_point, geo_shape, xy_point, xy_shape. While the content of these fields is properly redacted in the _source document returned by search operations, the original unredacted values remain available to search queries. This allows to reconstruct the original field contents using range queries.

Additionally, the content of fields of type geo_point, geo_shape, xy_point, xy_shape is returned in an unredacted form if requested via the fields option of the search API.

Patches

The issue has been resolved in OpenSearch 3.0.0 and OpenSearch 2.19.3.

Workarounds

If you cannot upgrade immediately, you can avoid the problem by using field level security (FLS) protection on fields of the affected types instead of field masking.

(GitHub Advisory)

5.7

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-rrmm-wq7q-h4v5

EPSS Score

CWE

CWE-200

Published

8/1/2025

Updated

8/1/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opensearch.plugin:opensearch-security	maven	< 2.19.3.0	2.19.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in how OpenSearch Security handles field masking for specific data types. The core of the issue lies in the DlsFlsFilterLeafReader class, which is responsible for applying Document Level Security (DLS) and Field Level Security (FLS) rules. The investigation of the security patch revealed that several methods in this class, namely getPointValues, getNumericDocValues, and getSortedNumericDocValues, were only checking for FLS rules and were not correctly handling fields that were configured for masking. This meant that for masked fields of the affected types (ip, geo_point, etc.), these methods would return the original, unredacted data from the underlying Lucene index. An attacker could exploit this by crafting specific search queries (e.g., range queries) or by requesting the fields directly, thereby bypassing the field masking protection and accessing sensitive information. The patch addresses this by introducing a new check that ensures that masked fields are not returned in their original form, effectively closing the data leakage path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Op*nS**r** v*rsions *.**.* *n* **rli*r improp*rly *pply *i*l* m*skin* rul*s on *i*l*s o* t** typ*s `ip`, `**o_point`, `**o_s**p*`, `xy_point`, `xy_s**p*`. W*il* t** *ont*nt o* t**s* *i*l*s is prop*rly r****t** in t** `_sour**` *o*um*nt r*

Reasoning

T** vuln*r**ility *xists in *ow Op*nS**r** S**urity **n*l*s *i*l* m*skin* *or sp**i*i* **t* typ*s. T** *or* o* t** issu* li*s in t** `*ls*ls*ilt*rL***R****r` *l*ss, w*i** is r*sponsi*l* *or *pplyin* *o*um*nt L*v*l S**urity (*LS) *n* *i*l* L*v*l S**ur

5.7

Basic Information

Concerned about an active attack path?

GHSA-rrmm-wq7q-h4v5: OpenSearch unauthorized data access on fields protected by field masking for fields of type ip, geo_point, geo_shape, xy_point, xy_shape

Impact

Patches

Workarounds

5.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI