CVE-2025-12147

In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security (FLS) rules are improperly enforced on object-valued fields. When an FLS exclusion rule (e.g., ~field) is applied to a field which contains an object as its value, the object is correctly removed from the _source returned by search operations. However, the object members (i.e., child attributes) remain accessible to search queries. This exposure allows adversaries to infer or reconstruct the original contents of the excluded object. Workaround - If you cannot upgrade immediately and FLS exclusion rules are used for object valued attributes (like ~object), add an additional exclusion rule for the members of the object (like ~object.*).

CVSS

No CVSS.

References

Link	Resource
https://docs.search-guard.com/latest/changelog-searchguard-flx-3_1_2
https://search-guard.com/cve-advisory/

Configurations

No configuration.

History

29 Oct 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-29 16:15

Updated : 2025-10-30 15:03

NVD link : CVE-2025-12147

Mitre link : CVE-2025-12147

CVE.ORG link : CVE-2025-12147

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2025-12147", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@search-guard.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-10-29T16:15:33.600", "references": [{"url": "https://docs.search-guard.com/latest/changelog-searchguard-flx-3_1_2", "source": "security@search-guard.com"}, {"url": "https://search-guard.com/cve-advisory/", "source": "security@search-guard.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@search-guard.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security (FLS) rules are improperly enforced on object-valued fields.\n\n\nWhen an FLS exclusion rule (e.g., ~field) is applied to a field which contains an object as its value, the object is correctly removed from the _source returned by search operations. However, the object members (i.e., child attributes) remain accessible to search queries. This exposure allows adversaries to infer or reconstruct the original contents of the excluded object.\n\n\n\n\nWorkaround - If you cannot upgrade immediately and FLS exclusion rules are used for object valued attributes (like ~object), add an additional exclusion rule for the members of the object (like ~object.*)."}], "lastModified": "2025-10-30T15:03:13.440", "sourceIdentifier": "security@search-guard.com"}