CVE-2025-68390: Elasticsearch privileged authenticated users can cause DoS through Excessive Resource Allocation

December 19, 2025

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.

References

discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-37/384185
github.com/advisories/GHSA-gphj-4h6p-37xq
github.com/elastic/elasticsearch
github.com/elastic/elasticsearch/pull/138132
nvd.nist.gov/vuln/detail/CVE-2025-68390

Code Behaviors & Features

Detect and mitigate CVE-2025-68390 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →