Hello,
we need clarification regarding a vulnerability finding raised by our security scanner on Elasticsearch.
The scanner is reporting the following issue:
-
CVE:
CVE-2025-46295 -
Vulnerability ID:
OO0TMV
On our Elasticsearch nodes we identified the following bundled JAR:
/usr/share/elasticsearch/modules/x-pack-inference/commons-text-1.4.jar
Our current Elasticsearch version is:
8.19.12
From our package repository, we can see that the following newer patch versions are available:
-
8.19.13
-
8.19.14
-
8.19.15
We would like to clarify the following points:
Questions
-
Is
commons-text-1.4.jarinx-pack-inferencean officially bundled dependency shipped with Elasticsearch 8.19.12? -
Is this component actually affected by CVE-2025-46295 / Vulnerability ID OO0TMV in the Elasticsearch context?
-
If yes, has this dependency been updated, removed, or otherwise remediated in:
-
Elasticsearch 8.19.13
-
Elasticsearch 8.19.14
-
Elasticsearch 8.19.15
-
-
What is the first Elasticsearch version in which
commons-text-1.4.jaris no longer present or is replaced by a remediated version? -
Is there any official advisory, release note, or remediation guidance that specifically addresses this issue?
-
If the JAR is present but not exploitable in Elasticsearch usage, could you please provide an official statement or explanation that we can share internally with our security team and vulnerability management process?
-
Since this dependency is bundled inside Elasticsearch, can you confirm whether the only supported remediation path is upgrading Elasticsearch to a fixed version?
Additional context
At the moment, our objective is to determine the minimum Elasticsearch version we need to upgrade to in order to remediate the finding related to:
-
CVE-2025-46295 -
Vulnerability ID OO0TMV -
bundled
commons-text-1.4.jar
If possible, please provide the exact fixed version and any related documentation we can reference.
Thank you all