Moderate severityOSV Advisory· Published Dec 18, 2025· Updated Dec 19, 2025
Elasticsearch Allocation of Resources Without Limits or Throttling
CVE-2025-68384
Description
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.elasticsearch.plugin:x-pack-securityMaven | < 8.19.9 | 8.19.9 |
org.elasticsearch.plugin:x-pack-securityMaven | >= 9.0.0, < 9.1.9 | 9.1.9 |
org.elasticsearch.plugin:x-pack-securityMaven | >= 9.2.0, < 9.2.3 | 9.2.3 |
Affected products
17- Range: v9.2.0, v9.2.1, v9.2.2
- osv-coords16 versionspkg:apk/chainguard/elasticsearch-fips-8.17pkg:apk/chainguard/elasticsearch-fips-8.17-bitnamipkg:apk/chainguard/elasticsearch-fips-8.18pkg:apk/chainguard/elasticsearch-fips-8.18-bitnamipkg:apk/chainguard/ruby3.2-elasticsearchpkg:apk/chainguard/ruby3.3-elasticsearchpkg:apk/chainguard/ruby3.4-elasticsearchpkg:apk/chainguard/ruby4.0-elasticsearchpkg:apk/chainguard/sonarqubepkg:apk/wolfi/ruby3.2-elasticsearchpkg:apk/wolfi/ruby3.3-elasticsearchpkg:apk/wolfi/ruby3.4-elasticsearchpkg:apk/wolfi/ruby4.0-elasticsearchpkg:apk/wolfi/sonarqubepkg:bitnami/elasticsearchpkg:maven/org.elasticsearch.plugin/x-pack-security
< 8.17.10-r14+ 15 more
- (no CPE)range: < 8.17.10-r14
- (no CPE)range: < 8.17.10-r14
- (no CPE)range: < 8.18.8-r7
- (no CPE)range: < 8.18.8-r7
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 9.3.0-r0
- (no CPE)range: < 25.12.0.117093-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 9.3.0-r0
- (no CPE)range: < 25.12.0.117093-r2
- (no CPE)range: < 8.19.9
- (no CPE)range: < 8.19.9
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-qf7c-7r9h-mm92ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68384ghsaADVISORY
- discuss.elastic.co/t/elasticsearch-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-33/384181ghsaWEB
- github.com/elastic/elasticsearch/commit/ab1d99ae033f2a23a8856b47a2d86652ad63a39aghsaWEB
- github.com/elastic/elasticsearch/commit/b46a4f64baea79c4d3afd58bda39d258de97210aghsaWEB
- github.com/elastic/elasticsearch/pull/138691ghsaWEB
News mentions
0No linked articles in our index yet.