GHSA-rrmm-wq7q-h4v5: 
Java vulnerability analysis and mitigation

A security vulnerability was identified in OpenSearch versions 2.19.2 and earlier, tracked as GHSA-rrmm-wq7q-h4v5. The vulnerability relates to improper application of field masking rules on specific field types including ip, geopoint, geoshape, xypoint, and xyshape. This moderate severity issue was published and last updated on August 1, 2025, affecting the OpenSearch security plugin (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 5.7 (Moderate), with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. The technical assessment indicates network attack vector, low attack complexity, low privileges required, user interaction required, unchanged scope, high confidentiality impact, and no impact on integrity or availability. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (GitHub Advisory).

While the content of affected fields is properly redacted in the source document returned by search operations, the original unredacted values remain accessible through search queries. This allows unauthorized users to reconstruct the original field contents using range queries. Furthermore, the content of fields of type geopoint, geoshape, xypoint, and xy_shape is returned unredacted when requested via the fields option of the search API (GitHub Advisory).

The vulnerability has been patched in OpenSearch versions 3.0.0 and 2.19.3. For users unable to upgrade immediately, a recommended workaround is to use field level security (FLS) protection on fields of the affected types instead of field masking (GitHub Advisory).