CVSS: 6.1EPSS: %CPEs: 4EXPL: 0CVE-2025-68390 – Elasticsearch Allocation of Resources Without Limits or Throttling
https://notcve.org/view.php?id=CVE-2025-68390
18 Dec 2025 — Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request. • https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-37/384185 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: %CPEs: 4EXPL: 0CVE-2025-68384 – Elasticsearch Allocation of Resources Without Limits or Throttling
https://notcve.org/view.php?id=CVE-2025-68384
18 Dec 2025 — Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data. • https://discuss.elastic.co/t/elasticsearch-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-33/384181 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37731 – Elasticsearch Improper Authentication
https://notcve.org/view.php?id=CVE-2025-37731
15 Dec 2025 — Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority. • https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-27/384063 • CWE-287: Improper Authentication •
CVSS: 5.7EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37727 – Elasticsearch Insertion of sensitive information in log file
https://notcve.org/view.php?id=CVE-2025-37727
10 Oct 2025 — Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex • https://discuss.elastic.co/t/elasticsearch-8-18-8-8-19-5-9-0-8-9-1-5-security-update-esa-2025-18/382453 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52979 – Elasticsearch Uncontrolled Resource Consumption vulnerability
https://notcve.org/view.php?id=CVE-2024-52979
01 May 2025 — Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash. • https://discuss.elastic.co/t/elasticsearch-7-17-25-and-8-16-0-security-update-esa-2024-40/377709 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52981
https://notcve.org/view.php?id=CVE-2024-52981
08 Apr 2025 — An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow. • https://discuss.elastic.co/t/elasticsearch-7-17-24-and-8-15-1-security-update-esa-2024-37/376924 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52980 – Elasticsearch Uncontrolled Resource Consumption vulnerability
https://notcve.org/view.php?id=CVE-2024-52980
08 Apr 2025 — A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. A successful attack requires a malicious user to have read_pipeline Elasticsearch cluster privilege assigned to them. • https://discuss.elastic.co/t/elasticsearch-8-15-1-security-update-esa-2024-34/376919 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43709 – Elasticsearch allocation of resources without limits or throttling leads to crash
https://notcve.org/view.php?id=CVE-2024-43709
21 Jan 2025 — An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function. • https://discuss.elastic.co/t/elasticsearch-7-17-21-and-8-13-3-security-update-esa-2024-25/373442 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12539 – Elasticsearch Incorrect Authorization
https://notcve.org/view.php?id=CVE-2024-12539
17 Dec 2024 — An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow. • https://discuss.elastic.co/t/elasticsearch-8-16-2-8-17-0-security-update/372091 • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23444 – Elasticsearch elasticsearch-certutil csr fails to encrypt private key
https://notcve.org/view.php?id=CVE-2024-23444
31 Jul 2024 — It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation. • https://discuss.elastic.co/t/elasticsearch-8-13-0-7-17-23-security-update-esa-2024-12/364157 • CWE-311: Missing Encryption of Sensitive Data •