CVE-2025-62371

OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all SSL certificates by default when no certificate path is provided. Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypasses SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks. The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided. This issue has been patched in version 2.12.2. As a workaround, users can add the cert parameter to their OpenSearch sink or source configuration with the path to the cluster's CA certificate.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/opensearch-project/data-prepper/commit/98fcf0d0ff9c18f1f7501e11dbed918814724b99
https://github.com/opensearch-project/data-prepper/commit/b0386a5af3fb71094ba6c86cd8b2afc783246599
https://github.com/opensearch-project/data-prepper/commit/db11ce8f27ebca018980b2bca863f7173de9ce56
https://github.com/opensearch-project/data-prepper/security/advisories/GHSA-43ff-rr26-8hx4

Configurations

No configuration.

History

15 Oct 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-15 18:15

Updated : 2025-10-16 15:28

NVD link : CVE-2025-62371

Mitre link : CVE-2025-62371

CVE.ORG link : CVE-2025-62371

JSON object : View

Products Affected

No product.

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2025-62371", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}]}, "published": "2025-10-15T18:15:39.897", "references": [{"url": "https://github.com/opensearch-project/data-prepper/commit/98fcf0d0ff9c18f1f7501e11dbed918814724b99", "source": "security-advisories@github.com"}, {"url": "https://github.com/opensearch-project/data-prepper/commit/b0386a5af3fb71094ba6c86cd8b2afc783246599", "source": "security-advisories@github.com"}, {"url": "https://github.com/opensearch-project/data-prepper/commit/db11ce8f27ebca018980b2bca863f7173de9ce56", "source": "security-advisories@github.com"}, {"url": "https://github.com/opensearch-project/data-prepper/security/advisories/GHSA-43ff-rr26-8hx4", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all SSL certificates by default when no certificate path is provided. Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypasses SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks. The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided. This issue has been patched in version 2.12.2. As a workaround, users can add the cert parameter to their OpenSearch sink or source configuration with the path to the cluster's CA certificate."}], "lastModified": "2025-10-16T15:28:59.610", "sourceIdentifier": "security-advisories@github.com"}