CVE-2025-62371
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-62371, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-15

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description

OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all SSL certificates by default when no certificate path is provided. Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypasses SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks. The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided. This issue has been patched in version 2.12.2. As a workaround, users can add the cert parameter to their OpenSearch sink or source configuration with the path to the cluster's CA certificate.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-15
Last Modified
2025-12-04
Generated
2026-07-06
AI Q&A
2025-10-15
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
amazon opensearch_data_prepper to 2.12.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in OpenSearch Data Prepper versions prior to 2.12.2, where the OpenSearch sink and source plugins trust all SSL certificates by default if no certificate path is provided. This means SSL certificate validation is bypassed, allowing attackers to potentially intercept and modify data in transit through man-in-the-middle attacks.

Impact Analysis

The vulnerability can allow attackers to perform man-in-the-middle attacks by intercepting and modifying data transmitted between Data Prepper and OpenSearch clusters. This compromises the confidentiality and integrity of the data being collected and sent, potentially leading to data breaches or corrupted observability data.

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenSearch Data Prepper to version 2.12.2 or later. Alternatively, as a workaround, explicitly configure the OpenSearch sink or source plugins with the cert parameter pointing to the cluster's CA certificate to ensure SSL certificate validation is enforced.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62371. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart