CVE-2025-57564HIGH 8.2EPSS p26.8%

CVE-2025-57564CVE-2025-57564

Description

CubeAPM nightly-2025-08-01-1 allow unauthenticated attackers to inject arbitrary log entries into production systems via the /api/logs/insert/elasticsearch/_bulk endpoint. This endpoint accepts bulk log data without requiring authentication or input validation, allowing remote attackers to perform unauthorized log injection. Exploitation may lead to false log entries, log poisoning, alert obfuscation, and potential performance degradation of the observability pipeline. The issue is present in the core CubeAPM platform and is not limited to specific deployment configurations.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.35% probability of exploitation · percentile 26.8% · 2026-06-18T12:00:27Z
Published2025-10-07
Last modified2026-04-15

Underlying weaknesses· 1

CWE-117

References

  1. https://github.com/prassan10/CubeAPM/blob/main/CVE-2025-57564%3A%20Unauthenticated%20Log%20Injection%20in%20CubeAPM
  2. https://github.com/prassan10/CubeAPM/blob/main/Unauthenticated-Log_Injection

1

TypeTargetConfidenceTier
WeaknessImproper Output Neutralization for Logscwe-1170%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-25014
CVE
CVE-2025-58469
CVE
CVE-2025-54735
CVE
CVE-2025-25015
CVE
CVE-2025-49181
CVE
CVE-2025-0767
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.