CVE-2025-37730: 
Logstash vulnerability analysis and mitigation

Improper certificate validation in Logstash's TCP output was discovered on May 6, 2025, affecting all versions prior to 8.17.6, as well as versions 8.18.0 and 9.0.0. The vulnerability occurs when the TCP output is running in 'client' mode, where hostname verification was not being performed even when sslverificationmode => full was set (Wiz Report).

The vulnerability is tracked as CVE-2025-37730 and has been assigned a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N. The issue specifically affects the TCP output plugin when run in 'client' mode with sslverificationmode => full set, which is the default configuration (Wiz Report).

The vulnerability could allow attackers to perform man-in-the-middle (MitM) attacks due to improper certificate validation in the TCP output functionality. This could potentially lead to unauthorized access to sensitive information and limited integrity compromise of the affected systems (NVD).

Users are advised to upgrade to version 8.17.6, 8.18.1, or 9.0.1 to resolve the issue. Alternatively, users can upgrade the TCP output plugin to version 6.2.2 or 7.0.1 by running bin/logstash-plugin update logstash-output-tcp (Wiz Report).