Impact
Elasticsearch is vulnerable to uncontrolled recursion, a form of resource exhaustion that can lead to denial of service when an authenticated user submits a specially crafted query. The flaw causes the server to allocate excessive resources while processing the request, potentially rendering the affected node unavailable. The weakness is classified as CWE-674, representing unbounded recursion.
Affected Systems
The vulnerability affects Elastic Elasticsearch nodes. Specific product versions are not listed in the data, so any deployment of Elasticsearch that has not applied the corresponding security update may be exposed.
Risk and Exploitability
The risk is moderate with a CVSS score of 6.5; EPSS data is unavailable, and the flaw is not currently listed in the CISA KEV catalog. Exfiltration requires authentication, implying the attacker must have valid credentials or privileged access to submit queries. Given the lack of a publicly known exploit and the authentication requirement, the likelihood of widespread exploitation is low, but the impact on availability is significant for affected nodes.
OpenCVE Enrichment