CVE-2025-37730: 
Logstash vulnerability analysis and mitigation

Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in 'client' mode, as hostname verification in TCP output was not being performed when the sslverificationmode => full was set. The vulnerability was discovered and disclosed on May 6, 2025, affecting all versions of Logstash prior to 8.17.6, as well as versions 8.18.0 and 9.0.0 (Elastic Discussion).

The vulnerability is identified as CVE-2025-37730 and has been assigned a CVSS v3.1 score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N. The issue specifically affects the TCP output plugin when run in 'client' mode with sslverificationmode => full set to full, which is the default configuration (Elastic Discussion).

The vulnerability could allow attackers to perform man-in-the-middle (MitM) attacks due to improper certificate validation in the TCP output functionality. This could potentially lead to unauthorized access to sensitive information and limited integrity compromise of the affected systems (NVD).

Users are advised to upgrade to version 8.17.6, 8.18.1, or 9.0.1 to resolve the issue. Alternatively, users can upgrade the TCP output plugin to version 6.2.2 or 7.0.1 by running bin/logstash-plugin update logstash-output-tcp (Elastic Discussion).