CVE-2025-12147
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-29

Last updated on: 2025-10-30

Assigner: floragunn GmbH

Description
In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security (FLS) rules are improperly enforced on object-valued fields. When an FLS exclusion rule (e.g., ~field) is applied to a field which contains an object as its value, the object is correctly removed from the _source returned by search operations. However, the object members (i.e., child attributes) remain accessible to search queries. This exposure allows adversaries to infer or reconstruct the original contents of the excluded object. Workaround - If you cannot upgrade immediately and FLS exclusion rules are used for object valued attributes (like ~object), add an additional exclusion rule for the members of the object (like ~object.*).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-29
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12147
EUVD
EUVD-2025-36687
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
search_guard flx 3.1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security (FLS) rules are not properly enforced on fields that contain objects. While the entire object is excluded from the search results, the individual members or child attributes of that object remain accessible through search queries. This means that even if an object is supposed to be hidden, its contents can still be inferred or reconstructed by an attacker.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive data. Although the object itself is excluded from search results, its child attributes remain accessible, allowing adversaries to infer or reconstruct the original contents of the excluded object. This exposure can compromise data confidentiality and potentially lead to data leakage.

Mitigation Strategies

If you cannot upgrade immediately, and you are using Field-Level Security (FLS) exclusion rules for object-valued attributes (like ~object), add an additional exclusion rule for the members of the object (like ~object.*) to properly exclude child attributes and prevent exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart