Vulnerability Description
CubeAPM nightly-2025-08-01-1 allow unauthenticated attackers to inject arbitrary log entries into production systems via the /api/logs/insert/elasticsearch/_bulk endpoint. This endpoint accepts bulk log data without requiring authentication or input validation, allowing remote attackers to perform unauthorized log injection. Exploitation may lead to false log entries, log poisoning, alert obfuscation, and potential performance degradation of the observability pipeline. The issue is present in the core CubeAPM platform and is not limited to specific deployment configurations.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/prassan10/CubeAPM/blob/main/CVE-2025-57564%3A%20Unauthenticat
- https://github.com/prassan10/CubeAPM/blob/main/Unauthenticated-Log_Injection
FAQ
What is CVE-2025-57564?
CVE-2025-57564 is a vulnerability with a CVSS score of 8.2 (HIGH). CubeAPM nightly-2025-08-01-1 allow unauthenticated attackers to inject arbitrary log entries into production systems via the /api/logs/insert/elasticsearch/_bulk endpoint. This endpoint accepts bulk l...
How severe is CVE-2025-57564?
CVE-2025-57564 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-57564?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.