CVE-2025-68390 – This vulnerability allows authenticated Elastic... (How to Fix)

Q: What is the severity of CVE-2025-68390?

CVE-2025-68390 has a CVSS score of 4.9 (MEDIUM). This vulnerability allows authenticated Elasticsearch users with snapshot restore privileges to cause memory exhaustion and denial of service through crafted HTTP requests. It affects Elasticsearch deployments where users have snapshot restore permissions. The impact is limited to availability rather than data confidentiality or integrity.

📋 TL;DR

This vulnerability allows authenticated Elasticsearch users with snapshot restore privileges to cause memory exhaustion and denial of service through crafted HTTP requests. It affects Elasticsearch deployments where users have snapshot restore permissions. The impact is limited to availability rather than data confidentiality or integrity.

💻 Affected Systems

Products:

Elasticsearch

Versions: Versions before 8.19.8, 9.1.8, and 9.2.2

Operating Systems: All platforms running Elasticsearch

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users with snapshot restore privileges; default snapshot privileges may vary by configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of Elasticsearch cluster due to memory exhaustion, affecting all dependent applications and services.

🟠

Likely Case

Degraded performance or temporary unavailability of Elasticsearch nodes, requiring manual intervention to restore service.

🟢

If Mitigated

Minimal impact if proper access controls limit snapshot restore privileges to trusted administrators only.

🌐 Internet-Facing: MEDIUM - Requires authentication but could be exploited if exposed endpoints have vulnerable users.

🏢 Internal Only: MEDIUM - Internal users with snapshot restore privileges could intentionally or accidentally trigger the issue.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated user with specific privileges; exploitation involves sending crafted HTTP requests to snapshot restore endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.19.8, 9.1.8, or 9.2.2

Vendor Advisory: https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-37/384185

Restart Required: Yes

Instructions:

1. Backup your Elasticsearch data and configuration. 2. Download the patched version from elastic.co. 3. Stop Elasticsearch service. 4. Install the new version. 5. Restart Elasticsearch service. 6. Verify cluster health.

🔧 Temporary Workarounds

Restrict Snapshot Restore Privileges

all

Limit snapshot restore permissions to only essential administrators to reduce attack surface.

curl -XPUT 'http://localhost:9200/_security/role/restricted_role' -H 'Content-Type: application/json' -d '{"indices": [], "cluster": [], "applications": []}'
curl -XPUT 'http://localhost:9200/_security/user/malicious_user' -H 'Content-Type: application/json' -d '{"password": "newpassword", "roles": ["restricted_role"]}'

🧯 If You Can't Patch

Implement strict access controls to limit snapshot restore privileges to minimal necessary users.
Monitor Elasticsearch memory usage and set up alerts for abnormal memory allocation patterns.

🔍 How to Verify

Check if Vulnerable:

Check Elasticsearch version with: curl -XGET 'http://localhost:9200/' and compare against affected versions.

Check Version:

curl -XGET 'http://localhost:9200/' | grep number

Verify Fix Applied:

After patching, verify version is 8.19.8, 9.1.8, or 9.2.2+ and test snapshot restore functionality with normal requests.

📡 Detection & Monitoring

Log Indicators:

Unusually large memory allocation in Elasticsearch logs
Frequent snapshot restore requests from single users
OutOfMemoryError or similar exceptions

Network Indicators:

High volume of HTTP POST requests to /_snapshot/*/_restore endpoints
Abnormal request sizes to snapshot APIs

SIEM Query:

source="elasticsearch.logs" AND ("OutOfMemoryError" OR "memory allocation" OR "_snapshot")

📊 Metadata

CVE ID: CVE-2025-68390

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.14% exploit probability (33.7th percentile)

Published: December 18, 2025

Last Updated: December 23, 2025

🔗 References

https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-37/384185 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68390, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Elasticsearch by Elastic

Elasticsearch by Elastic

Elasticsearch by Elastic

Elasticsearch by Elastic

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Snapshot Restore Privileges

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities