CVE-2025-37729Improper Neutralization of Special Elements Used in a Template Engine in Cloud Enterprise

CWE-1336Improper Neutralization of Special Elements Used in a Template Engine3 documents3 sources
Severity
7.2HIGHNVD
CNA9.1
EPSS
0.1%
top 83.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Cloud Enterprise
Timeline
PublishedOct 13

Description

Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDelastic/elastic_cloud_enterprise2.5.03.8.2+1
CVEListV5elastic/elastic_cloud_enterprise2.5.03.8.1+1

🔴Vulnerability Details

2
CVEList
Elastic Cloud Enterprise (ECE) Improper Neutralization of Special Elements Used in a Template Engine2025-10-13
GHSA
GHSA-9w6c-7rw2-2w66: Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin acces2025-10-13
CVE-2025-37729 — Elastic Cloud Enterprise vulnerability | cvebase