CVE-2025-37729

Summary

Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.

Affected Software

VendorProductVersion RangeStatus
ElasticElastic Cloud Enterprise (ECE)2.5.0 <= 3.8.1affected
ElasticElastic Cloud Enterprise (ECE)4.0.0 <= 4.0.1affected

Weaknesses

  • CWE-1336: CWE-1336

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References