Elastic Cloud Enterprise (ECE) Improper Neutralization of Special Elements Used in a Template Engine (ESA-2025-21)
Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.
Affected Versions:
Versions starting from 2.5.0 up to and including 3.8.1, and versions starting from 4.0.0 up to and including 4.0.1.
Affected Configurations:
This issue can only be exploited by users with access to the Elastic Cloud Enterprise (ECE) admin-console and access to a deployment with the Logging+Metrics feature enabled. By submitting plans with specially crafted payloads it is possible to inject code to be executed and the result to be read back via the ingested logs.
Solutions and Mitigations:
Users should upgrade to version 3.8.2 and 4.0.2.
For Users that Cannot Upgrade:
There are no workarounds
Indicators of Compromise (IOC)
Users can monitor the request logs for malicious payloads, by using the search query:
(payload.name : int3rpr3t3r or payload.name : forPath)
Severity: CVSSv3.1: 9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2025-37729