GHSA-rrmm-wq7q-h4v5: 
Java vulnerability analysis and mitigation

A security vulnerability (GHSA-rrmm-wq7q-h4v5) was identified in OpenSearch versions 2.19.2 and earlier, affecting the field masking functionality for specific field types including ip, geopoint, geoshape, xypoint, and xyshape. The vulnerability was disclosed on August 1, 2025, and impacts the OpenSearch security plugin (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 5.7 (Moderate severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. The issue stems from improper application of field masking rules where although content is redacted in the _source document returned by search operations, the original unredacted values remain accessible through search queries. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (GitHub Advisory).

The vulnerability allows unauthorized access to sensitive data through two main vectors: First, original field contents can be reconstructed using range queries despite masking. Second, for fields of type geopoint, geoshape, xypoint, and xyshape, unredacted content can be accessed when requested via the fields option of the search API (GitHub Advisory).

The vulnerability has been patched in OpenSearch versions 3.0.0 and 2.19.3. For users unable to upgrade immediately, a workaround is available by using field level security (FLS) protection on fields of the affected types instead of field masking (GitHub Advisory).