Skip to main content
CVE Vulnerability Database

CVE-2025-9624: Amazon OpenSearch DoS Vulnerability

CVE-2025-9624 is a denial of service vulnerability in Amazon OpenSearch caused by complex query_string inputs. Attackers can exploit this flaw to disrupt service availability. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-9624 Overview

CVE-2025-9624 is a denial-of-service vulnerability in OpenSearch, the open-source search and analytics engine maintained by the OpenSearch Project. Attackers with low-privileged authenticated access can submit crafted query_string inputs that trigger uncontrolled recursion during query parsing. The resulting resource exhaustion degrades cluster availability and can render search nodes unresponsive.

The issue is tracked under CWE-674 (Uncontrolled Recursion) and affects all OpenSearch releases between 3.0.0 and prior to 3.3.0, as well as all 2.x versions prior to 2.19.4.

Critical Impact

Authenticated attackers can disable OpenSearch cluster availability by submitting crafted query_string payloads that exhaust node resources through recursive query parsing.

Affected Products

  • OpenSearch 3.0.0 through versions prior to 3.3.0
  • OpenSearch versions prior to 2.19.4
  • Amazon OpenSearch deployments running affected versions

Discovery Timeline

  • 2025-11-25 - CVE-2025-9624 published to NVD
  • 2025-12-15 - Last updated in NVD database

Technical Details for CVE-2025-9624

Vulnerability Analysis

The vulnerability resides in the OpenSearch query parsing layer that handles the query_string query type. The query_string syntax supports Boolean operators, grouping, wildcards, and nested clauses. When OpenSearch receives a deeply nested or recursively constructed expression, the parser invokes itself repeatedly without enforcing depth limits or cost controls.

This leads to excessive CPU consumption, stack growth, and thread blocking on the receiving data nodes. A single attacker request can monopolize search threads, and a small burst of requests can saturate the cluster. Because OpenSearch is commonly deployed as the backend for security analytics, logging, and observability pipelines, an outage cascades into loss of visibility for downstream consumers.

Root Cause

The root cause is uncontrolled recursion ([CWE-674]) during evaluation of complex query_string expressions. The parser does not bound recursion depth or reject pathological inputs before they consume node resources, allowing a single API call to escalate into a resource-exhaustion condition.

Attack Vector

Exploitation requires network access to the OpenSearch HTTP API and a valid account with permission to issue search queries. The attacker submits a POST request to a _search endpoint with a malformed or deeply nested query_string clause. No user interaction is required, and no special privileges beyond standard search rights are needed. See the Fluid Attacks Advisory for additional context on the parsing behavior.

Detection Methods for CVE-2025-9624

Indicators of Compromise

  • Sudden CPU and heap pressure on OpenSearch data nodes without a corresponding indexing workload increase
  • Search threads blocked for extended periods, visible in _nodes/hot_threads output
  • Repeated _search requests containing query_string clauses with unusually deep nesting, long boolean chains, or stacked wildcards
  • Cluster health transitioning to yellow or red with thread pool rejections in _cat/thread_pool

Detection Strategies

  • Inspect OpenSearch slow query logs for query_string queries exceeding normal latency thresholds
  • Alert on HTTP 5xx responses or timeouts from _search endpoints originating from a single authenticated principal
  • Correlate authentication logs with search activity to identify accounts issuing unusually expensive queries
  • Baseline normal query complexity per role and flag deviations in nested clause counts

Monitoring Recommendations

  • Forward OpenSearch audit logs, slow logs, and node metrics to a centralized analytics platform for correlation
  • Track JVM heap usage, GC pause duration, and search thread pool queue depth as availability signals
  • Monitor for repeated parsing failures and stack overflow exceptions in node logs

How to Mitigate CVE-2025-9624

Immediate Actions Required

  • Upgrade OpenSearch 3.x deployments to version 3.3.0 or later as documented in the GitHub Release 3.3.0 notes
  • Upgrade OpenSearch 2.x deployments to version 2.19.4 or later as documented in the GitHub Release 2.19.4 notes
  • Restrict search API access to trusted roles and remove unused service accounts with broad search permissions
  • Review recent audit logs for abusive query_string patterns prior to patching

Patch Information

The OpenSearch Project addressed CVE-2025-9624 in releases 2.19.4 and 3.3.0. Both releases enforce stricter limits during query_string parsing to prevent uncontrolled recursion. Operators should validate the upgrade in a staging cluster before rolling production data nodes.

Workarounds

  • Disable or restrict use of query_string in favor of structured query types such as bool, term, or match where feasible
  • Place a reverse proxy or API gateway in front of OpenSearch to inspect and reject oversized or deeply nested query bodies
  • Apply role-based access control to limit which users can issue arbitrary query_string queries
  • Set conservative search timeouts and circuit breaker thresholds to contain the blast radius of expensive queries
bash
# Example: enforce search timeout and reject oversized request bodies at the cluster level
curl -XPUT "https://opensearch.example.com:9200/_cluster/settings" \
  -H 'Content-Type: application/json' \
  -u admin:'****' \
  -d '{
    "persistent": {
      "search.default_search_timeout": "10s",
      "indices.breaker.request.limit": "40%",
      "http.max_content_length": "10mb"
    }
  }'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.