CVE-2025-68390

MEDIUM4.9EPSS 0.27%

Elasticsearch Allocation of Resources Without Limits or Throttling

Published: 12/19/2025Modified: 12/20/2025

Also known as:GHSA-gphj-4h6p-37xqBIT-elasticsearch-2025-68390

Description

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.

Affected packages (2)

Bitnami/elasticsearchfrom 0, < 8.19.8, >= 9.0.0, < 9.1.8, >= 9.2.0, < 9.2.2
Maven/org.elasticsearch.plugin:x-pack-corefrom 0, < 8.19.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68390
PATCHhttps://github.com/elastic/elasticsearch
WEBhttps://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-37/384185
WEBhttps://github.com/elastic/elasticsearch/pull/138132