Moderate severityOSV Advisory· Published Dec 18, 2025· Updated Dec 19, 2025

Elasticsearch Allocation of Resources Without Limits or Throttling

CVE-2025-68390

Description

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.elasticsearch.plugin:x-pack-coreMaven	< 8.19.8	8.19.8
org.elasticsearch.plugin:x-pack-coreMaven	>= 9.0.0, < 9.1.8	9.1.8
org.elasticsearch.plugin:x-pack-coreMaven	>= 9.2.0, < 9.2.2	9.2.2

Affected products

Elastic/ElasticsearchOSV
Range: v9.2.0, v9.2.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-gphj-4h6p-37xqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-68390ghsaADVISORY
discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-37/384185ghsaWEB
github.com/elastic/elasticsearch/pull/138132ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000