GeoIP processor disables SSL certificate validation when downloading databases

Impact

The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading GeoIP databases from HTTP URLs, making downloads vulnerable to man-in-the-middle attacks.

The GeoIP processor included a custom SSL implementation that completely bypassed certificate validation when downloading GeoIP databases from external sources. The initiateSSL() method incorrectly implemented an approach for trusting all certificates. Specifically it:

Accepted all SSL certificates without validation
Disabled server certificate verification
Disabled client certificate verification
Disabled hostname verification

This configuration made database downloads vulnerable to man-in-the-middle attacks, potentially allowing attackers to serve malicious GeoIP databases that could compromise the integrity of geolocation data processing.

Patches

Data Prepper 2.12.2 contains a fix for this issue.

Workarounds

If upgrading is not immediately possible:

Use local GeoIP database files instead of downloading from HTTP URLs
Ensure database downloads occur only over trusted networks

Published: Oct 15, 2025
Updated: Oct 16, 2025
GHSA: GHSA-3xgr-h5hq-7299
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
org.opensearch.dataprepper.plugins / geoip-processor	2.7.0	2.12.2

Vulnerability Database

319,561

GeoIP processor disables SSL certificate validation when downloading databases

Impact

Patches

Workarounds

Deep Security Visibility Without the Complexity