CVE-2025-62371 in data-prepper
Summary
by MITRE • 10/15/2025
OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all SSL certificates by default when no certificate path is provided. Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypasses SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks. The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided. This issue has been patched in version 2.12.2. As a workaround, users can add the cert parameter to their OpenSearch sink or source configuration with the path to the cluster's CA certificate.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/15/2025
CVE-2025-62371 represents a critical security flaw in OpenSearch Data Prepper versions prior to 2.12.2 that undermines the integrity of encrypted communications between data collection components and OpenSearch clusters. This vulnerability manifests in the OpenSearch sink and source plugins where the default configuration behavior automatically enables a "trust all" SSL certificate strategy when no explicit certificate path is provided. The flaw stems from a dangerous assumption that all SSL connections should bypass certificate validation, creating a significant attack surface that allows malicious actors to perform man-in-the-middle attacks without detection. The vulnerability directly impacts the confidentiality and integrity of observability data flowing through the system, as attackers can intercept, modify, or steal sensitive information during transit.
The technical implementation of this vulnerability aligns with CWE-295, which addresses improper certificate validation in security protocols, and represents a failure in secure communication design patterns. When users configure OpenSearch sink or source plugins without explicitly specifying the cert parameter, the system defaults to trusting all SSL certificates regardless of their authenticity or legitimacy. This default behavior violates fundamental security principles established in industry standards such as NIST SP 800-57 and ISO/IEC 27001, which mandate proper certificate validation to maintain secure communications. The flaw creates a trust boundary failure where the system assumes all certificates are valid without performing the required verification steps, effectively nullifying the security benefits of SSL/TLS encryption.
Operational impacts of this vulnerability extend beyond simple data interception to encompass complete compromise of observability data pipelines. Organizations relying on OpenSearch Data Prepper for monitoring and logging may experience data breaches where sensitive operational information, performance metrics, and security events are exposed to unauthorized parties. The vulnerability affects all configurations where the cert parameter is omitted, making it particularly dangerous in environments where default configurations are used or where administrators are unaware of the security implications. Attackers can exploit this weakness to inject malicious data into monitoring systems, potentially causing false security alerts or masking actual security incidents, which undermines the fundamental purpose of observability platforms.
Mitigation strategies for CVE-2025-62371 require immediate action to update to OpenSearch Data Prepper version 2.12.2 or later, which implements proper SSL certificate validation. The recommended workaround involves explicitly configuring the cert parameter in all OpenSearch sink and source plugin configurations to point to the legitimate cluster certificate authority certificate. This approach aligns with the principle of least privilege and secure configuration management as outlined in the MITRE ATT&CK framework under the initial access and credential access tactics. Organizations should also implement configuration management practices to ensure all plugin configurations include explicit certificate validation settings and conduct regular audits of their observability pipeline configurations to prevent similar issues from arising in other components. The fix addresses the core issue by enforcing mandatory certificate validation when connecting to OpenSearch clusters, thereby restoring the intended security posture of the data collection infrastructure.