CVE-2025-62371

HIGH

Amazon Opensearch Data Prepper - Improper Certificate Validation

Title source: rule

Description

OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all SSL certificates by default when no certificate path is provided. Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypasses SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks. The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided. This issue has been patched in version 2.12.2. As a workaround, users can add the cert parameter to their OpenSearch sink or source configuration with the path to the cluster's CA certificate.

References (4)

Scores

CVSS v3 7.4
EPSS 0.0003
EPSS Percentile 6.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Classification

CWE
CWE-295
Status published

Affected Products (2)

amazon/opensearch_data_prepper < 2.12.2
org.opensearch.dataprepper.plugins/opensearch < 2.12.2Maven

Timeline

Published Oct 15, 2025
Tracked Since Feb 18, 2026