JRE 24 vulnerability

The Java 24 version bundled with all recent versions of Elasticsearch has three vulnerabilities, all published on April 15th

CVE-2025-21587 Score 7.4 High
CVE-2025-30691 Score 4.8 Medium
CVE-2025-30698 Score 5.6 Medium

We’ve been following new releases hoping to patch this to make sure we are compliant, but even most recent 8.18.5 version, released yesterday, has no mention of a new bundled OpenJDK in the release notes.

OpenJDK 24.0.2 was released on July 15th.

When can we expect a new version of Elasticsearch to released with a vulnerability free Java ?

Thank you for this question.

Elastic's security reporting guidelines are available at Security issues | Elastic .

Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.

We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.

++ to what @dadoonet says, but also see these docs:

Elasticsearch uses only a subset of the features offered by the JVM. Bugs and security issues in the bundled JVM often relate to features that Elasticsearch does not use. Such issues do not apply to Elasticsearch. Elastic analyzes reports of security vulnerabilities in all its dependencies, including in the bundled JVM, and will issue an Elastic Security Advisory if such an advisory is needed.