GHSA-2rjv-cv85-xhgm: 
Java vulnerability analysis and mitigation

OpenSearch versions 2.19.2 and earlier contain a vulnerability (GHSA-2rjv-cv85-xhgm) related to improper application of Field Level Security (FLS) rules on nested fields within JSON objects. The vulnerability was disclosed and patched on August 1, 2025, affecting the OpenSearch security plugin (GitHub Advisory).

The vulnerability stems from incorrect implementation of Field Level Security rules on fields that are not at the top level of the source document tree. When an FLS exclusion rule (like ~object) is applied to an object-valued attribute, while the object is properly removed from the _source document in search and get results, its member attributes remain accessible through search queries. This implementation flaw allows unauthorized users to reconstruct the original field contents using range queries. The vulnerability has been assigned a CVSS v3.1 score of 5.7 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability primarily affects data confidentiality, allowing unauthorized access to sensitive information that should be protected by Field Level Security. The issue enables attackers to bypass intended security controls and access field contents that should be restricted, potentially exposing sensitive data (GitHub Advisory).

The vulnerability has been patched in OpenSearch versions 3.0.0 and 2.19.3. For users unable to update immediately, a workaround is available: when using FLS exclusion rules for object-valued attributes (like ~object), add an additional exclusion rule for the object's members (like ~object.*) (GitHub Advisory).