CVE-2025-68384
published 2025-12-18CVE-2025-68384: Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation…
PriorityP431medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.24%
15.6th percentile
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | 7.0.0 – 7.17.29 | — |
| elastic | elasticsearch | >= 8.0.0 < 8.19.9 | 8.19.9 |
| elastic | elasticsearch | 8.0.0 – 8.19.8 | — |
| elastic | elasticsearch | >= 9.0.0 < 9.1.9 | 9.1.9 |
| elastic | elasticsearch | 9.0.0 – 9.1.8 | — |
| elastic | elasticsearch | >= 9.2.0 < 9.2.3 | 9.2.3 |
| elastic | elasticsearch | 9.2.0 – 9.2.2 | — |
| msrc | azl3_rubygem-elasticsearch_8.9.0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_rubygem-elasticsearch_8.3.0-1_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data
ghsa·2025-12-19
CVE-2025-68384 [MEDIUM] CWE-770 Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data
Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
OSV
Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data
osv·2025-12-19
CVE-2025-68384 [MEDIUM] Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data
Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
OSV
CVE-2025-68384: Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Alloc
osv·2025-12-18·CVSS 6.5
CVE-2025-68384 [MEDIUM] CVE-2025-68384: Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Alloc
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
Red Hat
elasticsearch: Elasticsearch Allocation of Resources Without Limits or Throttling
vendor_redhat·2025-12-18·CVSS 6.5
CVE-2025-68384 [MEDIUM] CWE-770 elasticsearch: Elasticsearch Allocation of Resources Without Limits or Throttling
elasticsearch: Elasticsearch Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
A flaw was found in Elasticsearch. A low-privileged authenticated user can cause an excessive memory allocation via submission of oversized user settings data, resulting in a denial of service.
Statement: This issue can only be exploited by a low-privileged authenticated user, limiting the scope to legitimate users of Elasticsearch. Additionally, the only security impact of this flaw is a denial of service due to excessive memory allocation. Du
Microsoft
Elasticsearch Allocation of Resources Without Limits or Throttling
vendor_msrc·2025-12-09·CVSS 6.5
CVE-2025-68384 [MEDIUM] CWE-770 Elasticsearch Allocation of Resources Without Limits or Throttling
Elasticsearch Allocation of Resources Without Limits or Throttling
Mariner: Mariner
elastic: elastic
Customer Action Required: Yes
No detection rules found.
No public exploits indexed.
2025-12-18
Published