Insecure Exposure of Sensitive Information in Elastic Defend by Elastic
CVE-2025-25013

6.5MEDIUM

Key Information:

Vendor: Elastic
Status: Elastic Defend
Vendor: CVE Published:; 8 April 2025

Summary

The vulnerability in Elastic Defend arises from an improper restriction of environment variables, which can inadvertently allow sensitive information such as API keys and tokens to be exposed. This occurs through the automatic transmission of unfiltered environment variables to the stack. As a result, attackers may gain access to critical data that was not intended for public exposure. Organizations using Elastic Defend need to address this vulnerability promptly to safeguard their sensitive information.

Affected Version(s)

Elastic Defend MacOS 8.0.0 < 8.17.3

References

https://discuss.elastic.co/t/elastic-defend-8-17-3-securi...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 8, 2025
Vulnerability Reserved
Jan 31, 2025