Improper Neutralization in Elastic Cloud Enterprise Achieves Vulnerability
CVE-2025-37729

9.1CRITICAL

Key Information:

Vendor: Elastic
Status: Elastic Cloud Enterprise (ece)
Vendor: CVE Published:; 13 October 2025

What is CVE-2025-37729?

The vulnerability in Elastic Cloud Enterprise arises from improper neutralization of special elements utilized in the template engine, Jinjava. This flaw potentially permits an attacker with Admin access to exfiltrate sensitive information and execute commands through a meticulously crafted string that evaluates Jinjava variables. This could lead to unauthorized access to confidential data and manipulation of command execution within the affected platforms.

Affected Version(s)

Elastic Cloud Enterprise (ECE) 2.5.0 <= 3.8.1

Elastic Cloud Enterprise (ECE) 4.0.0 <= 4.0.1

References

https://discuss.elastic.co/t/elastic-cloud-enterprise-ece...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 13, 2025
Vulnerability Reserved
Apr 16, 2025

JSON