CVE-2025-27911: 
Datalust Seq vulnerability analysis and mitigation

A vulnerability was discovered in Datalust Seq versions prior to 2024.3.13545. The vulnerability (CVE-2025-27911) involves the expansion of identifiers in message templates that can bypass the system's "Event body limit bytes" setting. This was initially reported as high-severity but was later downgraded to medium severity with a CVSS 3.1 score of 6.0. The vulnerability was discovered through Datalust's internal security processes and disclosed on February 17, 2025 (Seq Tickets).

The vulnerability exists in the message template processing mechanism of Seq, where the expansion of identifiers can circumvent the configured event body size limitations. This bypass leads to increased resource consumption beyond intended limits. The vulnerability has been assigned a CVSS 3.1 vector string of AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C, indicating network accessibility, low attack complexity, and high availability impact (Seq Tickets).

When exploited, this vulnerability can result in increased resource consumption leading to either disk space exhaustion (if events are saved to disk) or termination of the server process due to out-of-memory errors. The impact is particularly severe because ingested events are persisted, meaning availability issues may continue even after system restart when malicious events are accessed during queries or indexing operations (Seq Tickets).

The vulnerability has been patched in Seq version 2024.3.13545. All Seq customers are advised to update to this version or later builds as soon as possible. The fixed version is available for download from the official website or via Docker image datalust/seq:2024.3.13545 (Seq Tickets, Datalust).