CVE-2025-68390
published 2025-12-18CVE-2025-68390: Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause…
PriorityP422medium4.9CVSS 3.1
AVNACLPRHUINSUCNINAH
EPSS
0.33%
24.7th percentile
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | 7.0.0 – 7.17.29 | — |
| elastic | elasticsearch | >= 8.0.0 < 8.19.8 | 8.19.8 |
| elastic | elasticsearch | 8.0.0 – 8.19.7 | — |
| elastic | elasticsearch | >= 9.0.0 < 9.1.8 | 9.1.8 |
| elastic | elasticsearch | 9.0.0 – 9.1.7 | — |
| elastic | elasticsearch | >= 9.2.0 < 9.2.2 | 9.2.2 |
| elastic | elasticsearch | 9.2.0 – 9.2.1 | — |
| msrc | azl3_rubygem-elasticsearch_8.9.0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_rubygem-elasticsearch_8.3.0-1_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
osv4.9MEDIUM
vendor_msrc4.9MEDIUM
vendor_redhat4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
elasticsearch: Elasticsearch Allocation of Resources Without Limits or Throttling
vendor_redhat·2025-12-18·CVSS 4.9
CVE-2025-68390 [MEDIUM] CWE-770 elasticsearch: Elasticsearch Allocation of Resources Without Limits or Throttling
elasticsearch: Elasticsearch Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
A flaw was found in Elasticsearch. An authenticated user, with snapshot restore privileges, can cause an excessive memory allocation via a crafted HTTP request, resulting in a denial of service.
Statement: This issue can only be exploited by an authenticated user with snapshot restore privileges, limiting the scope to legitimate users of Elasticsearch. Additionally, the only security impact of this flaw is a denial of service due to excessive memory allocati
Microsoft
Elasticsearch Allocation of Resources Without Limits or Throttling
vendor_msrc·2025-12-09·CVSS 4.9
CVE-2025-68390 [MEDIUM] CWE-770 Elasticsearch Allocation of Resources Without Limits or Throttling
Elasticsearch Allocation of Resources Without Limits or Throttling
Mariner: Mariner
elastic: elastic
Customer Action Required: Yes
OSV
Elasticsearch privileged authenticated users can cause DoS through Excessive Resource Allocation
osv·2025-12-19
CVE-2025-68390 [MEDIUM] Elasticsearch privileged authenticated users can cause DoS through Excessive Resource Allocation
Elasticsearch privileged authenticated users can cause DoS through Excessive Resource Allocation
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
GHSA
Elasticsearch privileged authenticated users can cause DoS through Excessive Resource Allocation
ghsa·2025-12-19
CVE-2025-68390 [MEDIUM] CWE-770 Elasticsearch privileged authenticated users can cause DoS through Excessive Resource Allocation
Elasticsearch privileged authenticated users can cause DoS through Excessive Resource Allocation
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
OSV
CVE-2025-68390: Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to ca
osv·2025-12-18·CVSS 4.9
CVE-2025-68390 [MEDIUM] CVE-2025-68390: Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to ca
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
No detection rules found.
No public exploits indexed.
2025-12-18
Published