CVE-2025-62371: 
Java vulnerability analysis and mitigation

OpenSearch Data Prepper versions prior to 2.12.2 contain a security vulnerability (CVE-2025-62371) where the OpenSearch sink and source plugins trust all SSL certificates by default when no certificate path is provided. This vulnerability was disclosed on October 15, 2025, affecting the data collector's security mechanisms for observability data (GitHub Advisory).

The vulnerability stems from the OpenSearch sink and source plugins automatically using a trust-all SSL strategy when connecting to OpenSearch clusters without an explicitly configured certificate path. This behavior bypasses SSL certificate validation, resulting in a High severity rating with a CVSS v3.1 base score of 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). The vulnerability is classified under CWE-295 (Improper Certificate Validation) (NVD).

The vulnerability allows attackers to potentially intercept and modify data in transit through man-in-the-middle attacks when the cert parameter is not explicitly provided. This affects connections to OpenSearch clusters, potentially compromising the confidentiality and integrity of transmitted data (GitHub Advisory).

The vulnerability has been patched in Data Prepper version 2.12.2. As a workaround, users can add the cert parameter to their OpenSearch sink or source configuration with the path to the cluster's CA certificate. For example, in the configuration, specify the certificate path using 'cert: /path/to/your/ca-certificate.pem' (GitHub Advisory).