What is the CVSS score of CVE-2025-25013?

CVE-2025-25013 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.2%.

Which versions of Elastic are affected by CVE-2025-25013?

CVE-2025-25013 presents notable security risk, a log file exposure vulnerability rated CVSS 6.5. This could allow unauthorized file access.

How to fix or mitigate CVE-2025-25013?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review data exposure and access controls.

Elastic CVE-2025-25013

MEDIUM

Insertion of Sensitive Information into Log File (CWE-532)

2025-04-08 security@elastic.co

Information Disclosure Elastic

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:35 vuln.today

CVE Published

Apr 08, 2025 - 23:15 nvd

MEDIUM 6.5

DescriptionNVD

AnalysisAI

Improper restriction of environment variables in Elastic Defend can lead to exposure of sensitive information such as API keys and tokens via automatic transmission of unfiltered environment. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-532. Improper restriction of environment variables in Elastic Defend can lead to exposure of sensitive information such as API keys and tokens via automatic transmission of unfiltered environment variables to the stack.

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More from same product – last 7 days

CVE-2026-42398 HIGH This Week

7.7 May 28

Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypa

CVE-2026-33464 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a

CVE-2026-42399 MEDIUM This Month

6.5 May 28

Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny acc

CVE-2026-42400 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a

CVE-2026-49094 MEDIUM This Month

6.5 May 28

Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level

CVE-2025-25013 vulnerability details – vuln.today

Back

Elastic CVE-2025-25013

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code