Listen to this Post
The CVE-2025-XXXXX vulnerability in Elasticsearch occurs when the reindex API is used with a source that requires authentication, such as a remote cluster or a secured third-party data store. When auditing is enabled for the reindex action, Elasticsearch logs the entire reindex request details to its audit log files. This logging mechanism fails to redact sensitive authentication credentials, like passwords or API keys, which are contained within the request’s `”source”` parameter. Specifically, the `”auth”` object or other security-related fields within the source configuration are written in plaintext to the log files. An attacker with read access to these log files could extract these credentials, leading to a potential compromise of the external systems the reindex operation was authorized to access. The vulnerability is contingent on the auditing feature being active for reindex requests.
Platform: Elasticsearch
Version: 7.0.0-8.18.7
Vulnerability: Information Disclosure
Severity: Moderate
date: 2025-10-11
Prediction: Patch 2025-10-25
What Undercode Say:
grep -r "reindex" /var/log/elasticsearch/ cat /path/to/audit.log | jq '.request.body'
{
"source": {
"remote": {
"host": "https://other-cluster:9200",
"auth": {
"username": "elastic",
"password": "s3cr3tpassw0rd"
}
},
"index": "source-index"
},
"dest": {
"index": "dest-index"
}
}
How Exploit:
Read audit logs.
Protection from this CVE
Update to patched versions.
Disable reindex auditing.
Restrict log file access.
Impact:
Credential leakage.
Loss of confidentiality.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
