CVE-2025-37727

MEDIUM severity · CVSS 5.7 · CWE-532

5.7CVSS MEDIUM

Summary

Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex

Impact & exploitability

Attack vectorAdjacent

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products we track (1)

Elasticsearch

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://discuss.elastic.co/t/elasticsearch-8-18-8-8-19-5-9-0-8-9-1-5-security-update-esa-2025-18/382453Advisory