Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-62371

CVE-2025-62371: Amazon OpenSearch Data Prepper Info Leak

CVE-2025-62371 is an information disclosure vulnerability in Amazon OpenSearch Data Prepper that allows SSL certificate bypass, enabling man-in-the-middle attacks. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-62371 Overview

OpenSearch Data Prepper is an open source data collector for observability data. A critical security flaw has been identified in versions prior to 2.12.2 where the OpenSearch sink and source plugins trust all SSL certificates by default when no certificate path is provided. This behavior bypasses SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle (MITM) attacks.

Prior to this fix, the OpenSearch sink and source plugins would automatically use a "trust all SSL" strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided, exposing sensitive observability data to potential interception.

Critical Impact

Attackers can perform man-in-the-middle attacks to intercept and modify observability data in transit between Data Prepper and OpenSearch clusters, potentially compromising data integrity and confidentiality.

Affected Products

  • Amazon OpenSearch Data Prepper versions prior to 2.12.2
  • OpenSearch sink plugin with default SSL configuration
  • OpenSearch source plugin with default SSL configuration

Discovery Timeline

  • October 15, 2025 - CVE-2025-62371 published to NVD
  • December 04, 2025 - Last updated in NVD database

Technical Details for CVE-2025-62371

Vulnerability Analysis

This vulnerability is classified as CWE-295 (Improper Certificate Validation). The core issue stems from insecure default configuration in the OpenSearch Data Prepper's connection handling. When users deploy Data Prepper without explicitly specifying a certificate path for their OpenSearch cluster connections, the application defaults to trusting all SSL certificates without validation.

This architectural decision creates a significant security gap in production environments. The OpenSearch sink plugin, responsible for sending processed observability data to OpenSearch clusters, and the OpenSearch source plugin, used for reading data from OpenSearch, both exhibit this dangerous default behavior. The vulnerability requires network access and specific conditions (placing an attacker in a position to intercept traffic), but successful exploitation can lead to complete compromise of data confidentiality and integrity for observability pipelines.

Root Cause

The root cause is an insecure default configuration in the SSL/TLS implementation of the OpenSearch sink and source plugins. Rather than requiring explicit certificate configuration or failing securely when no certificate path is provided, the plugins implement a permissive "trust all" SSL strategy. This design choice prioritizes ease of setup over security, violating the principle of secure defaults and leaving deployments vulnerable to certificate-based attacks.

Attack Vector

The attack vector is network-based and requires the attacker to position themselves between the Data Prepper instance and the OpenSearch cluster. An attacker who can intercept network traffic (through techniques such as ARP spoofing, DNS hijacking, or compromised network infrastructure) can present their own SSL certificate to Data Prepper. Because Data Prepper trusts all certificates when the cert parameter is not configured, it will accept the attacker's certificate and establish a seemingly secure connection with the malicious intermediary.

The attacker can then decrypt, read, modify, and re-encrypt the observability data before forwarding it to the legitimate OpenSearch cluster, remaining undetected while compromising both confidentiality and integrity of the data pipeline.

Detection Methods for CVE-2025-62371

Indicators of Compromise

  • Review Data Prepper configuration files for OpenSearch sink/source entries without explicit cert parameter definitions
  • Monitor for unexpected SSL certificate changes or warnings in network security logs
  • Check for anomalous network paths or latency increases between Data Prepper and OpenSearch clusters
  • Audit TLS handshake logs for connections accepting untrusted or self-signed certificates

Detection Strategies

  • Implement network monitoring to detect potential MITM attack patterns on Data Prepper communication paths
  • Use configuration scanning tools to identify OpenSearch plugin configurations missing the cert parameter
  • Deploy certificate pinning validation at the network level to detect unauthorized certificates
  • Enable verbose SSL logging in Data Prepper to capture certificate validation events

Monitoring Recommendations

  • Continuously monitor Data Prepper to OpenSearch cluster communication for SSL/TLS anomalies
  • Implement alerting for configuration changes to OpenSearch sink and source plugins
  • Establish baseline network traffic patterns and alert on deviations that may indicate interception
  • Regularly audit Data Prepper deployments to ensure certificate paths are explicitly configured

How to Mitigate CVE-2025-62371

Immediate Actions Required

  • Upgrade OpenSearch Data Prepper to version 2.12.2 or later immediately
  • Audit all existing Data Prepper configurations for OpenSearch sink and source plugins
  • Add the cert parameter to all OpenSearch plugin configurations with the path to your cluster's CA certificate
  • Verify SSL/TLS certificate validation is functioning correctly after configuration changes

Patch Information

The vulnerability has been patched in OpenSearch Data Prepper version 2.12.2. Multiple commits address this issue:

For complete details, refer to the GitHub Security Advisory GHSA-43ff-rr26-8hx4.

Workarounds

  • Add the cert parameter to your OpenSearch sink or source configuration with the path to the cluster's CA certificate
  • Ensure all Data Prepper to OpenSearch communications traverse secured network segments with proper certificate validation
  • Implement network-level certificate validation as an additional layer of defense
  • Consider using mutual TLS (mTLS) for enhanced security between Data Prepper and OpenSearch clusters
bash
# Example OpenSearch sink configuration with explicit certificate path
# Add the cert parameter to your pipeline configuration
# opensearch-sink:
#   hosts: ["https://your-opensearch-cluster:9200"]
#   cert: "/path/to/your/ca-certificate.pem"
#   username: "${OPENSEARCH_USERNAME}"
#   password: "${OPENSEARCH_PASSWORD}"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.