CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2025-35434

CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with access to a Thorium cluster could impersonate the Elasticsearch service. Fixed in 1.1.2.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 9.7%

CVSS Severity

CVSS v3 Score 4.2

References

https://github.com/cisagov/thorium/blob/main/api/src/models/backends/setup/elastic_setup.rs#L36-L43
https://github.com/cisagov/thorium/releases/tag/1.1.2
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json
https://www.cve.org/CVERecord?id=CVE-2025-35434

Products affected by CVE-2025-35434

Cisa » Thorium » Version: 1.0.0

cpe:2.3:a:cisa:thorium:1.0.0
Cisa » Thorium » Version: 1.1.0

cpe:2.3:a:cisa:thorium:1.1.0
Cisa » Thorium » Version: 1.1.1

cpe:2.3:a:cisa:thorium:1.1.1

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2025-35434

Products

Pricing

Contact Us