CVE-2025-68384

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-68384
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68384.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-68384
Aliases
Downstream
Published
2025-12-18T22:16:02.540Z
Modified
2025-12-25T08:54:32.500930Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.

References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type
GIT
Repo
https://github.com/elastic/elasticsearch
Events
Introduced
1b6a7ece17463df5ff54a3e1302d825889aa1161
Fixed
f60dd5fdef48c4b6cf97721154cd49b3b4794fb0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68384.json"

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 305.0,
            "function_hash": "229166255045301346585622455642873789853"
        },
        "id": "CVE-2025-68384-03e305b5",
        "signature_type": "Function",
        "source": "https://github.com/elastic/elasticsearch/commit/f60dd5fdef48c4b6cf97721154cd49b3b4794fb0",
        "target": {
            "file": "x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java",
            "function": "validateIndexNameExpression"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "22799343236770748403298540225288566789",
                "148306469380463964857590464523617086489",
                "112708772737749378359171394647526694800",
                "54738819031625359442437444026504288464",
                "215408533376176740699445489020547479671"
            ]
        },
        "id": "CVE-2025-68384-74b79f8c",
        "signature_type": "Line",
        "source": "https://github.com/elastic/elasticsearch/commit/f60dd5fdef48c4b6cf97721154cd49b3b4794fb0",
        "target": {
            "file": "x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "35308104646925593422797425754370691903",
                "305064702061835088979702429131580923084",
                "85843254806226700035260888561335619158",
                "60079007924553349940581118979270624908",
                "188733035935134607917526267132093491593",
                "134130522338909018824882908608939301094"
            ]
        },
        "id": "CVE-2025-68384-e904b954",
        "signature_type": "Line",
        "source": "https://github.com/elastic/elasticsearch/commit/f60dd5fdef48c4b6cf97721154cd49b3b4794fb0",
        "target": {
            "file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidatorTests.java"
        }
    }
]