CVE-2022-31022: CWE-288: Authentication Bypass Using an Alternate Path or Channel in blevesearch bleve
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted by this issue. Version 2.5.0 relocated the `http/` dir used _only_ by bleve-explorer to `blevesearch/bleve-explorer`, thereby addressing the issue. However, the http package is purely intended to be used for demonstration purposes. Bleve was never designed handle the RBACs, nor it was ever advertised to be used in that way. The collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment. The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. It is recommended to not use bleve/http in production use cases.
AI Analysis
Technical Summary
CVE-2022-31022 is a medium severity vulnerability affecting the Bleve text indexing library for the Go programming language, specifically versions from 0.1.0 up to but not including 2.5.0. Bleve includes an HTTP utility package (bleve/http) intended primarily for demonstration purposes, which exposes HTTP handlers such as CreateIndexHandler and DeleteIndexHandler. These handlers allow creation and deletion of Bleve indexes via HTTP requests. The vulnerability arises because these handlers do not implement any authentication or authorization controls, nor do they enforce Role Based Access Control (RBAC) on the index assets. Consequently, an attacker who can reach these HTTP endpoints can exploit the lack of access controls to create directories (indexes) or recursively delete directories anywhere on the filesystem where the server process has write permissions. This effectively allows an authentication bypass via an alternate channel, enabling unauthorized modification of the filesystem. The issue was addressed in Bleve version 2.5.0 by relocating the HTTP handlers used only by bleve-explorer to a different package, and the project maintainers have explicitly stated that the bleve/http package is not intended for production use and lacks exhaustive input validation and security controls. The CVSS 3.1 score is 6.2 (medium), reflecting local network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. There are no known exploits in the wild. The vulnerability stems from CWE-288 (Authentication Bypass Using Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function).
Potential Impact
For European organizations using Bleve versions prior to 2.5.0 and exposing the bleve/http package in production environments, this vulnerability poses a significant risk. An attacker with network access to the exposed HTTP endpoints can create or delete index directories arbitrarily, potentially leading to unauthorized data manipulation or destruction. This could compromise the integrity of indexed data, disrupt search functionality, or cause denial of service by deleting critical directories. Since the vulnerability requires no authentication or user interaction, exploitation can be straightforward if the HTTP interface is exposed beyond trusted internal networks. The impact is particularly critical for organizations relying on Bleve for indexing sensitive or operational data, such as financial institutions, healthcare providers, or government agencies in Europe. Additionally, the ability to delete arbitrary directories owned by the server user could be leveraged to escalate attacks or disrupt services. However, the vulnerability does not directly impact confidentiality or availability, and the attack vector is local network or internal exposure, limiting risk if proper network segmentation and access controls are in place.
Mitigation Recommendations
European organizations should immediately audit their use of Bleve to determine if the vulnerable bleve/http package is exposed in production environments. If so, they should upgrade to Bleve version 2.5.0 or later, which removes the vulnerable HTTP handlers from the main package. If upgrading is not immediately feasible, organizations must ensure that the bleve/http endpoints are not exposed to untrusted networks by implementing strict network segmentation and firewall rules limiting access only to trusted hosts. Additionally, organizations should implement external authentication and authorization layers (e.g., reverse proxies with RBAC enforcement) in front of any HTTP endpoints exposing Bleve indexes. It is critical to avoid using the bleve/http package in production environments altogether, as the project maintainers explicitly advise against it. Regularly monitoring logs for unusual index creation or deletion requests can help detect exploitation attempts. Finally, organizations should consider alternative indexing solutions that provide built-in authentication and authorization if Bleve’s limitations cannot be mitigated effectively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2022-31022: CWE-288: Authentication Bypass Using an Alternate Path or Channel in blevesearch bleve
Description
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted by this issue. Version 2.5.0 relocated the `http/` dir used _only_ by bleve-explorer to `blevesearch/bleve-explorer`, thereby addressing the issue. However, the http package is purely intended to be used for demonstration purposes. Bleve was never designed handle the RBACs, nor it was ever advertised to be used in that way. The collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment. The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. It is recommended to not use bleve/http in production use cases.
AI-Powered Analysis
Technical Analysis
CVE-2022-31022 is a medium severity vulnerability affecting the Bleve text indexing library for the Go programming language, specifically versions from 0.1.0 up to but not including 2.5.0. Bleve includes an HTTP utility package (bleve/http) intended primarily for demonstration purposes, which exposes HTTP handlers such as CreateIndexHandler and DeleteIndexHandler. These handlers allow creation and deletion of Bleve indexes via HTTP requests. The vulnerability arises because these handlers do not implement any authentication or authorization controls, nor do they enforce Role Based Access Control (RBAC) on the index assets. Consequently, an attacker who can reach these HTTP endpoints can exploit the lack of access controls to create directories (indexes) or recursively delete directories anywhere on the filesystem where the server process has write permissions. This effectively allows an authentication bypass via an alternate channel, enabling unauthorized modification of the filesystem. The issue was addressed in Bleve version 2.5.0 by relocating the HTTP handlers used only by bleve-explorer to a different package, and the project maintainers have explicitly stated that the bleve/http package is not intended for production use and lacks exhaustive input validation and security controls. The CVSS 3.1 score is 6.2 (medium), reflecting local network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. There are no known exploits in the wild. The vulnerability stems from CWE-288 (Authentication Bypass Using Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function).
Potential Impact
For European organizations using Bleve versions prior to 2.5.0 and exposing the bleve/http package in production environments, this vulnerability poses a significant risk. An attacker with network access to the exposed HTTP endpoints can create or delete index directories arbitrarily, potentially leading to unauthorized data manipulation or destruction. This could compromise the integrity of indexed data, disrupt search functionality, or cause denial of service by deleting critical directories. Since the vulnerability requires no authentication or user interaction, exploitation can be straightforward if the HTTP interface is exposed beyond trusted internal networks. The impact is particularly critical for organizations relying on Bleve for indexing sensitive or operational data, such as financial institutions, healthcare providers, or government agencies in Europe. Additionally, the ability to delete arbitrary directories owned by the server user could be leveraged to escalate attacks or disrupt services. However, the vulnerability does not directly impact confidentiality or availability, and the attack vector is local network or internal exposure, limiting risk if proper network segmentation and access controls are in place.
Mitigation Recommendations
European organizations should immediately audit their use of Bleve to determine if the vulnerable bleve/http package is exposed in production environments. If so, they should upgrade to Bleve version 2.5.0 or later, which removes the vulnerable HTTP handlers from the main package. If upgrading is not immediately feasible, organizations must ensure that the bleve/http endpoints are not exposed to untrusted networks by implementing strict network segmentation and firewall rules limiting access only to trusted hosts. Additionally, organizations should implement external authentication and authorization layers (e.g., reverse proxies with RBAC enforcement) in front of any HTTP endpoints exposing Bleve indexes. It is critical to avoid using the bleve/http package in production environments altogether, as the project maintainers explicitly advise against it. Regularly monitoring logs for unusual index creation or deletion requests can help detect exploitation attempts. Finally, organizations should consider alternative indexing solutions that provide built-in authentication and authorization if Bleve’s limitations cannot be mitigated effectively.
Affected Countries
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-05-18T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9819c4522896dcbd8600
Added to database: 5/21/2025, 9:08:41 AM
Last enriched: 7/5/2025, 6:57:26 AM
Last updated: 2/4/2026, 1:11:04 AM
Views: 44
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1835: Cross-Site Request Forgery in lcg0124 BootDo
MediumCVE-2026-1813: Unrestricted Upload in bolo-blog bolo-solo
MediumCVE-2026-1632: CWE-306 Missing Authentication for Critical Function in RISS SRL MOMA Seismic Station
CriticalCVE-2026-1812: Path Traversal in bolo-blog bolo-solo
MediumCVE-2026-24514: CWE-770 Allocation of Resources Without Limits or Throttling in Kubernetes ingress-nginx
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.