GHSA-2rjv-cv85-xhgm: 
Java vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-2rjv-cv85-xhgm) was identified in OpenSearch versions 2.19.2 and earlier, affecting the Field Level Security (FLS) implementation. The vulnerability was published and last updated on August 1, 2025, impacting the OpenSearch security plugin (org.opensearch.plugin:opensearch-security) (GitHub Advisory).

The vulnerability stems from improper application of Field Level Security (FLS) rules on fields that are not at the top level of the source document tree, specifically those that are members of a JSON object. When an FLS exclusion rule (like ~object) is applied to an object-valued attribute in a source document, while the object is properly removed from the _source document in search and get results, its member attributes remain accessible to search queries. The vulnerability has a CVSS score of 5.7 (Moderate) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, low privileges required, and high confidentiality impact (GitHub Advisory).

The vulnerability allows unauthorized users to reconstruct original field contents using range queries, even when those fields should be protected by FLS rules. This represents a potential data exposure risk, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (GitHub Advisory).

The vulnerability has been patched in OpenSearch versions 3.0.0 and 2.19.3. For users unable to update immediately, a workaround is available: when using FLS exclusion rules for object-valued attributes (like ~object), add an additional exclusion rule for the members of the object (like ~object.*) (GitHub Advisory).