CVE-2025-37727: 
Java vulnerability analysis and mitigation

CVE-2025-37727 is a sensitive information disclosure vulnerability discovered in Elasticsearch's audit logging system. The vulnerability was disclosed on October 6, 2025, affecting Elasticsearch versions from 7.0.0 through 7.17.29, 8.0.0 through 8.18.7, 8.19.0 through 8.19.4, 9.0.0 through 9.0.7, and 9.1.0 through 9.1.4. The vulnerability can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API (Elastic Security, Security Online).

The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with the vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue manifests when three specific conditions are met simultaneously: audit logging is enabled (xpack.security.audit.enabled: true), authentication success events are logged, and request body logging is explicitly enabled (xpack.security.audit.logfile.events.emitrequestbody: true) (Elastic Security).

The vulnerability can result in sensitive information being exposed in log files when auditing requests to the reindex API. Because these options are rarely all active by default, the vulnerability has limited impact, but still poses risks for regulated environments where audit logs may capture sensitive payloads (Security Online).

The vulnerability has been patched in Elasticsearch versions 8.18.8, 8.19.5, 9.0.8, and 9.1.5. For users who cannot immediately upgrade, a workaround is available by setting xpack.security.audit.logfile.events.emitrequestbody to false. This applies to both self-hosted and cloud users (Elastic Security).