CVE-2025-62371 Overview
OpenSearch Data Prepper is an open source data collector for observability data. A critical security flaw has been identified in versions prior to 2.12.2 where the OpenSearch sink and source plugins trust all SSL certificates by default when no certificate path is provided. This behavior bypasses SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle (MITM) attacks.
Prior to this fix, the OpenSearch sink and source plugins would automatically use a "trust all SSL" strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided, exposing sensitive observability data to potential interception.
Critical Impact
Attackers can perform man-in-the-middle attacks to intercept and modify observability data in transit between Data Prepper and OpenSearch clusters, potentially compromising data integrity and confidentiality.
Affected Products
- Amazon OpenSearch Data Prepper versions prior to 2.12.2
- OpenSearch sink plugin with default SSL configuration
- OpenSearch source plugin with default SSL configuration
Discovery Timeline
- October 15, 2025 - CVE-2025-62371 published to NVD
- December 04, 2025 - Last updated in NVD database
Technical Details for CVE-2025-62371
Vulnerability Analysis
This vulnerability is classified as CWE-295 (Improper Certificate Validation). The core issue stems from insecure default configuration in the OpenSearch Data Prepper's connection handling. When users deploy Data Prepper without explicitly specifying a certificate path for their OpenSearch cluster connections, the application defaults to trusting all SSL certificates without validation.
This architectural decision creates a significant security gap in production environments. The OpenSearch sink plugin, responsible for sending processed observability data to OpenSearch clusters, and the OpenSearch source plugin, used for reading data from OpenSearch, both exhibit this dangerous default behavior. The vulnerability requires network access and specific conditions (placing an attacker in a position to intercept traffic), but successful exploitation can lead to complete compromise of data confidentiality and integrity for observability pipelines.
Root Cause
The root cause is an insecure default configuration in the SSL/TLS implementation of the OpenSearch sink and source plugins. Rather than requiring explicit certificate configuration or failing securely when no certificate path is provided, the plugins implement a permissive "trust all" SSL strategy. This design choice prioritizes ease of setup over security, violating the principle of secure defaults and leaving deployments vulnerable to certificate-based attacks.
Attack Vector
The attack vector is network-based and requires the attacker to position themselves between the Data Prepper instance and the OpenSearch cluster. An attacker who can intercept network traffic (through techniques such as ARP spoofing, DNS hijacking, or compromised network infrastructure) can present their own SSL certificate to Data Prepper. Because Data Prepper trusts all certificates when the cert parameter is not configured, it will accept the attacker's certificate and establish a seemingly secure connection with the malicious intermediary.
The attacker can then decrypt, read, modify, and re-encrypt the observability data before forwarding it to the legitimate OpenSearch cluster, remaining undetected while compromising both confidentiality and integrity of the data pipeline.
Detection Methods for CVE-2025-62371
Indicators of Compromise
- Review Data Prepper configuration files for OpenSearch sink/source entries without explicit cert parameter definitions
- Monitor for unexpected SSL certificate changes or warnings in network security logs
- Check for anomalous network paths or latency increases between Data Prepper and OpenSearch clusters
- Audit TLS handshake logs for connections accepting untrusted or self-signed certificates
Detection Strategies
- Implement network monitoring to detect potential MITM attack patterns on Data Prepper communication paths
- Use configuration scanning tools to identify OpenSearch plugin configurations missing the cert parameter
- Deploy certificate pinning validation at the network level to detect unauthorized certificates
- Enable verbose SSL logging in Data Prepper to capture certificate validation events
Monitoring Recommendations
- Continuously monitor Data Prepper to OpenSearch cluster communication for SSL/TLS anomalies
- Implement alerting for configuration changes to OpenSearch sink and source plugins
- Establish baseline network traffic patterns and alert on deviations that may indicate interception
- Regularly audit Data Prepper deployments to ensure certificate paths are explicitly configured
How to Mitigate CVE-2025-62371
Immediate Actions Required
- Upgrade OpenSearch Data Prepper to version 2.12.2 or later immediately
- Audit all existing Data Prepper configurations for OpenSearch sink and source plugins
- Add the cert parameter to all OpenSearch plugin configurations with the path to your cluster's CA certificate
- Verify SSL/TLS certificate validation is functioning correctly after configuration changes
Patch Information
The vulnerability has been patched in OpenSearch Data Prepper version 2.12.2. Multiple commits address this issue:
For complete details, refer to the GitHub Security Advisory GHSA-43ff-rr26-8hx4.
Workarounds
- Add the cert parameter to your OpenSearch sink or source configuration with the path to the cluster's CA certificate
- Ensure all Data Prepper to OpenSearch communications traverse secured network segments with proper certificate validation
- Implement network-level certificate validation as an additional layer of defense
- Consider using mutual TLS (mTLS) for enhanced security between Data Prepper and OpenSearch clusters
# Example OpenSearch sink configuration with explicit certificate path
# Add the cert parameter to your pipeline configuration
# opensearch-sink:
# hosts: ["https://your-opensearch-cluster:9200"]
# cert: "/path/to/your/ca-certificate.pem"
# username: "${OPENSEARCH_USERNAME}"
# password: "${OPENSEARCH_PASSWORD}"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
