CVSS: 6.1EPSS: %CPEs: 4EXPL: 0CVE-2025-68390 – Elasticsearch Allocation of Resources Without Limits or Throttling
https://notcve.org/view.php?id=CVE-2025-68390
18 Dec 2025 — Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request. • https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-37/384185 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: %CPEs: 4EXPL: 0CVE-2025-68384 – Elasticsearch Allocation of Resources Without Limits or Throttling
https://notcve.org/view.php?id=CVE-2025-68384
18 Dec 2025 — Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data. • https://discuss.elastic.co/t/elasticsearch-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-33/384181 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37731 – Elasticsearch Improper Authentication
https://notcve.org/view.php?id=CVE-2025-37731
15 Dec 2025 — Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority. • https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-27/384063 • CWE-287: Improper Authentication •
CVSS: 5.7EPSS: 0%CPEs: 5EXPL: 0CVE-2025-37727 – Elasticsearch Insertion of sensitive information in log file
https://notcve.org/view.php?id=CVE-2025-37727
10 Oct 2025 — Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex • https://discuss.elastic.co/t/elasticsearch-8-18-8-8-19-5-9-0-8-9-1-5-security-update-esa-2025-18/382453 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52979 – Elasticsearch Uncontrolled Resource Consumption vulnerability
https://notcve.org/view.php?id=CVE-2024-52979
01 May 2025 — Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash. • https://discuss.elastic.co/t/elasticsearch-7-17-25-and-8-16-0-security-update-esa-2024-40/377709 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52981
https://notcve.org/view.php?id=CVE-2024-52981
08 Apr 2025 — An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow. • https://discuss.elastic.co/t/elasticsearch-7-17-24-and-8-15-1-security-update-esa-2024-37/376924 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52980 – Elasticsearch Uncontrolled Resource Consumption vulnerability
https://notcve.org/view.php?id=CVE-2024-52980
08 Apr 2025 — A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. A successful attack requires a malicious user to have read_pipeline Elasticsearch cluster privilege assigned to them. • https://discuss.elastic.co/t/elasticsearch-8-15-1-security-update-esa-2024-34/376919 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43709 – Elasticsearch allocation of resources without limits or throttling leads to crash
https://notcve.org/view.php?id=CVE-2024-43709
21 Jan 2025 — An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function. • https://discuss.elastic.co/t/elasticsearch-7-17-21-and-8-13-3-security-update-esa-2024-25/373442 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12539 – Elasticsearch Incorrect Authorization
https://notcve.org/view.php?id=CVE-2024-12539
17 Dec 2024 — An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow. • https://discuss.elastic.co/t/elasticsearch-8-16-2-8-17-0-security-update/372091 • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-49921
https://notcve.org/view.php?id=CVE-2023-49921
26 Jul 2024 — An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using: org.elasticsea... • https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179 • CWE-532: Insertion of Sensitive Information into Log File •