OpenSearch Data Prepper <2.12.2 SSL Trust-All Bypass
CVE-2025-62371 Published on October 15, 2025
OpenSearch Data Prepper plugins trusts all SSL certificates by default
OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all SSL certificates by default when no certificate path is provided. Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypasses SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks. The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided. This issue has been patched in version 2.12.2. As a workaround, users can add the cert parameter to their OpenSearch sink or source configuration with the path to the cluster's CA certificate.
Vulnerability Analysis
CVE-2025-62371 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Products Associated with CVE-2025-62371
Want to know whenever a new CVE is published for Opensearch Project Data Prepper? stack.watch will email you.
Affected Versions
opensearch-project data-prepper Version < 2.12.2 is affected by CVE-2025-62371Vulnerable Packages
The following package name and versions may be associated with CVE-2025-62371
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.opensearch.dataprepper.plugins:opensearch | < 2.12.2 | 2.12.2 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.