CVE-2025-12147 affects floragunn's Search Guard FLX, a security plugin for Elasticsearch that enforces Field-Level Security (FLS) rules to restrict access to specific fields in search results. In versions 3.1.1 and earlier, when an FLS exclusion rule is applied to a field containing an object (complex data structure), the entire object is removed from the _source field in search responses as intended. However, the enforcement is incomplete because the individual members (child attributes) of the object remain accessible through search queries. This improper enforcement allows an attacker with some level of privileges to query and retrieve sensitive information that was supposed to be excluded, effectively bypassing the intended security controls. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information) and CWE-732 (Incorrect Permission Assignment for Critical Resource). The CVSS 4.0 base score is 6.0 (medium), reflecting network attack vector, low attack complexity, partial authentication required, and high confidentiality impact. No user interaction is needed, and the vulnerability does not affect integrity or availability. There are no known exploits in the wild yet, and no official patches have been released at the time of publication. The recommended workaround is to add exclusion rules not only for the object field but also for all its child attributes (e.g., ~object.*) to prevent exposure until an upgrade or patch is available.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored within object-valued fields in Elasticsearch indices secured by Search Guard FLX. For European organizations, especially those in regulated industries such as finance, healthcare, and government, this could lead to data breaches violating GDPR and other privacy regulations, resulting in legal penalties and reputational damage. Attackers with limited privileges could escalate their access to sensitive data without needing to compromise additional credentials or perform complex attacks. The exposure of confidential business or personal data could facilitate further attacks, including social engineering or fraud. Since Search Guard FLX is widely used in Europe, particularly in countries with strong Elasticsearch adoption like Germany and the UK, the risk is significant. The lack of a patch at the time of disclosure means organizations must rely on workarounds, which if improperly implemented, may leave data exposed.

1. Immediately review and audit all FLS exclusion rules applied to object-valued fields in Search Guard FLX configurations. 2. Implement the recommended workaround by adding exclusion rules for both the object fields and all their child attributes (e.g., ~object and ~object.*) to ensure complete exclusion of sensitive data. 3. Monitor vendor communications closely for official patches or updates and plan prompt upgrades to versions beyond 3.1.1 once available. 4. Conduct thorough testing of FLS policies in a staging environment to verify that sensitive fields are fully protected against unauthorized queries. 5. Restrict privileges of users and roles to the minimum necessary to reduce the risk of exploitation. 6. Enable detailed logging and alerting on search queries that access sensitive fields to detect potential abuse. 7. Consider additional data encryption at rest and in transit to mitigate data exposure risks. 8. Educate security and DevOps teams about this vulnerability and the importance of precise FLS configurations.