CVE-2025-37727 — Log File Information Exposure in Elasticsearch

CWE-532 — Log File Information Exposure7 documents6 sources

Severity

5.7MEDIUMNVD

EPSS

0.0%

top 94.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Elasticsearch

Timeline

PublishedOct 10

Latest updateOct 14

Description

Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages2 packages

▶NVDelastic/elasticsearch8.0.0 — 8.18.8+4

▶CVEListV5elastic/elasticsearch8.0.0 — 8.18.7+4

🔴Vulnerability Details

OSV

Elasticsearch: Insertion of Sensitive Information into Log File via reindex API↗2025-10-10

▶

GHSA

Elasticsearch: Insertion of Sensitive Information into Log File via reindex API↗2025-10-10

▶

OSV

CVE-2025-37727: Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing request↗2025-10-10

▶

CVEList

Elasticsearch Insertion of sensitive information in log file↗2025-10-10

▶

📋Vendor Advisories

Microsoft

Elasticsearch Insertion of sensitive information in log file↗2025-10-14

▶

Red Hat

org.elasticsearch/elasticsearch-core: Elasticsearch Insertion of sensitive information in log file↗2025-10-10

▶