Moderate severityOSV Advisory· Published Dec 18, 2025· Updated Dec 19, 2025
Elasticsearch Allocation of Resources Without Limits or Throttling
CVE-2025-68390
Description
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.elasticsearch.plugin:x-pack-coreMaven | < 8.19.8 | 8.19.8 |
org.elasticsearch.plugin:x-pack-coreMaven | >= 9.0.0, < 9.1.8 | 9.1.8 |
org.elasticsearch.plugin:x-pack-coreMaven | >= 9.2.0, < 9.2.2 | 9.2.2 |
Affected products
23- Range: v9.2.0, v9.2.1
- osv-coords22 versionspkg:apk/chainguard/elasticsearch-fips-8.17pkg:apk/chainguard/elasticsearch-fips-8.17-bitnamipkg:apk/chainguard/elasticsearch-fips-8.18pkg:apk/chainguard/elasticsearch-fips-8.18-bitnamipkg:apk/chainguard/elasticsearch-fips-9.0pkg:apk/chainguard/elasticsearch-fips-9.0-bitnamipkg:apk/chainguard/ruby3.2-elasticsearchpkg:apk/chainguard/ruby3.3-elasticsearchpkg:apk/chainguard/ruby3.4-elasticsearchpkg:apk/chainguard/ruby4.0-elasticsearchpkg:apk/chainguard/sonarqubepkg:apk/chainguard/sonarqube-docker-compatpkg:apk/chainguard/sonarqube-scriptspkg:apk/wolfi/ruby3.2-elasticsearchpkg:apk/wolfi/ruby3.3-elasticsearchpkg:apk/wolfi/ruby3.4-elasticsearchpkg:apk/wolfi/ruby4.0-elasticsearchpkg:apk/wolfi/sonarqubepkg:apk/wolfi/sonarqube-docker-compatpkg:apk/wolfi/sonarqube-scriptspkg:bitnami/elasticsearchpkg:maven/org.elasticsearch.plugin/x-pack-core
< 8.17.10-r14+ 21 more
- (no CPE)range: < 8.17.10-r14
- (no CPE)range: < 8.17.10-r14
- (no CPE)range: < 8.18.8-r7
- (no CPE)range: < 8.18.8-r7
- (no CPE)range: < 9.0.8-r15
- (no CPE)range: < 9.0.8-r15
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 9.3.0-r0
- (no CPE)range: < 25.12.0.117093-r0
- (no CPE)range: < 25.12.0.117093-r0
- (no CPE)range: < 25.12.0.117093-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 9.3.0-r0
- (no CPE)range: < 25.12.0.117093-r0
- (no CPE)range: < 25.12.0.117093-r0
- (no CPE)range: < 25.12.0.117093-r0
- (no CPE)range: < 8.19.8
- (no CPE)range: < 8.19.8
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.