GHSA-x5hg-x4gv-j98m
LOWOpenSearch has ineffective TLS certificate hostname verification
Blast Radius
org.opensearch.plugin:opensearch-security☕org.opensearch.plugin:opensearch-securityReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Description
A regression was introduced in OpenSearch 2.18.0 that caused the plugins.security.ssl.transport.enforce_hostname_verification setting to be ineffective. When this setting was enabled, OpenSearch did not verify that the hostname in a connecting node's TLS certificate matched the hostname of the connection. This could allow a node with a valid certificate (signed by the cluster's trusted CA) but an incorrect hostname SAN to join the cluster.
Impact
Clusters running affected versions with hostname verification enabled did not receive the expected protection from this setting. A node presenting a certificate signed by the cluster's trusted CA could join the cluster regardless of whether its hostname SAN matched. This regression does not affect certificate validation itself — only the additional hostname verification check.
Patches
This issue is fixed in OpenSearch 2.19.4 and 3.3.0.
Workarounds
Use more restrictive values for plugins.security.nodes_dn to limit which certificates are accepted for node-to-node communication.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | org.opensearch.plugin:opensearch-security | ≥ 2.18.0&&< 2.19.4.0 | 2.19.4.0 |
| ☕Maven | org.opensearch.plugin:opensearch-security | ≥ 3.0.0&&< 3.3.0.0 | 3.3.0.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.opensearch.plugin:opensearch-security. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update org.opensearch.plugin:opensearch-security to 2.19.4.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-x5hg-x4gv-j98m is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-x5hg-x4gv-j98m is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-x5hg-x4gv-j98m. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-x5hg-x4gv-j98m in your dependencies?
O3 detects GHSA-x5hg-x4gv-j98m across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.