CVE-2025-62371: OpenSearch Data Prepper plugins trust all SSL certificates by default
The OpenSearch sink and source plugins in Data Prepper are configured to trust all SSL certificates by default when no certificate path was provided, making connections vulnerable to man-in-the-middle attacks.
Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypassed SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks.
The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided.
References
- github.com/advisories/GHSA-43ff-rr26-8hx4
- github.com/opensearch-project/data-prepper
- github.com/opensearch-project/data-prepper/commit/98fcf0d0ff9c18f1f7501e11dbed918814724b99
- github.com/opensearch-project/data-prepper/commit/b0386a5af3fb71094ba6c86cd8b2afc783246599
- github.com/opensearch-project/data-prepper/commit/db11ce8f27ebca018980b2bca863f7173de9ce56
- github.com/opensearch-project/data-prepper/security/advisories/GHSA-43ff-rr26-8hx4
- nvd.nist.gov/vuln/detail/CVE-2025-62371
Code Behaviors & Features
Detect and mitigate CVE-2025-62371 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →