CVE-2025-57564

HIGH EPSS 27.0%

Published Oct 7, 20258mo ago · Modified Jun 17, 20261w ago

8.2 CVSS 3.1

High

Published Oct 7, 2025 8mo ago

Last Modified Jun 17, 2026 1w ago

Description

CubeAPM nightly-2025-08-01-1 allow unauthenticated attackers to inject arbitrary log entries into production systems via the /api/logs/insert/elasticsearch/_bulk endpoint. This endpoint accepts bulk log data without requiring authentication or input validation, allowing remote attackers to perform unauthorized log injection. Exploitation may lead to false log entries, log poisoning, alert obfuscation, and potential performance degradation of the observability pipeline. The issue is present in the core CubeAPM platform and is not limited to specific deployment configurations.

CVSS Details

Base Score

8.2

Exploitability

3.9

Impact

4.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

27.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-117

References 2

github.com https://github.com/prassan10/CubeAPM/blob/main/CVE-2025-57564%3A%20Unauthenticated%20Log%20Injection%20in%20CubeAPM
github.com https://github.com/prassan10/CubeAPM/blob/main/Unauthenticated-Log_Injection

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.