CVE-2025-37729 | THREATINT

Description

Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.

PUBLISHED Reserved 2025-04-16 | Published 2025-10-13 | Updated 2025-11-06 | Assigner elastic

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-1336

Product status

Default status

unaffected

2.5.0 (semver)

affected

4.0.0 (semver)

affected

References

discuss.elastic.co/...0-2-security-update-esa-2025-21/382641

cve.org (CVE-2025-37729)

nvd.nist.gov (CVE-2025-37729)

Download JSON