CVE-2025-12147

Name of the Vulnerable Software and Affected Versions Search Guard FLX versions 3.1.1 and earlier

Description Field-Level Security (FLS) rules are not properly enforced on object-valued fields. When an FLS exclusion rule is applied to a field containing an object, the object is removed from search results, but its members remain accessible. This allows unauthorized access to the object's attributes, potentially enabling reconstruction of the excluded object's contents.

Recommendations For versions 3.1.1 and earlier, add an additional exclusion rule for the members of the object if FLS exclusion rules are used for object-valued attributes. For example, if excluding ~object, also exclude ~object.*.