Elasticsearch Insertion of sensitive information in log file (ESA-2025-18)
Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API
Affected Versions:
- 7.x: All versions from 7.0.0 and up to and including 7.17.29
- 8.x: All versions from 8.0.0 and up to and including 8.18.7
- 8.19.x: All versions from 8.19.0 and up to and including 8.19.4
- 9.0.x: All versions from 9.0.0 and up to and including 9.0.7
- 9.1.x: All versions from 9.1.0 and up to and including 9.1.4
Affected Configurations:
This affects deployments where all the below are true:
-
Audit logging is enabled (
xpack.security.audit.enabled: true) -
Audit logging is configured to contain authentication_success events (
xpack.security.audit.logfile.events.include includes authentication_success) -
Audit logging is explicitly configured to capture request bodies (
xpack.security.audit.logfile.events.emit_request_body: true). The default value isfalse.
Solutions and Mitigations:
The issue is resolved in version 8.18.8, 8.19.5, 9.0.8, 9.1.5.
For Users that Cannot Upgrade:
If the affected configuration is in use:
Self-hosted
Users can set xpack.security.audit.logfile.events.emit_request_body to false
Cloud
Users can set xpack.security.audit.logfile.events.emit_request_body to false
Severity: CVSSv3.1: Medium(5.3) CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE ID: CVE-2025-37727