Critical Kibana Flaws: CVE-2025-2135 (CVSS 9.9) Allows Heap Corruption & RCE; Open Redirect Also Patched

Elastic has published a security advisory addressing two significant vulnerabilities in Kibana, the visualization and dashboarding layer for the Elastic Stack. One vulnerability, CVE-2025-2135, is particularly severe, with a CVSS score of 9.9, and could allow heap corruption and code execution through a Chromium-based type confusion exploit. The second flaw, CVE-2025-25012 (CVSS 4.3), involves an open redirect risk tied to Kibana’s Short URL feature.

CVE-2025-2135 – Heap Corruption via Reporting (CVSS 9.9)

This critical-severity vulnerability is linked to a Type Confusion flaw in Chromium, which underpins Kibana’s reporting engine. According to the advisory, the issue can be exploited through a crafted HTML page, leading to heap memory corruption—a precursor to potential remote code execution.

The risk is highest in self-hosted or Elastic Cloud Kibana instances that enable PDF or PNG reporting. CSV report generation remains unaffected.

Users should upgrade to version 7.17.29, 8.17.8, 8.18.3, or 9.0.3 to resolve the issue.

Workarounds for Those Unable to Upgrade:

• Disable Reporting via xpack.reporting.enabled: false in kibana.yml
• Restrict report generation access to trusted accounts
• Apply strict network policies to prevent unauthorized Chromium-to-Kibana connections

On Elastic Cloud, while the code execution is contained within a Docker container, Elastic notes that AppArmor and seccomp-bpf profiles help mitigate escape attempts.

“With these counter-measures the risk is reduced,” the advisory notes regarding containerized environments.

CVE-2025-25012 – Open Redirect via Short URLs (CVSS 4.3)

The second vulnerability allows attackers to craft a malicious URL that redirects users to untrusted external websites. It can also be abused for Server-Side Request Forgery (SSRF) in environments where Kibana’s Short URL features are active in Discover, Dashboard, and Visualization Library components.

Mitigation Steps for CVE-2025-25012:

• Upgrade to a patched version (7.17.29, 8.17.8, 8.18.3, or 9.0.3)
• For Basic license users: restrict Short URL privileges by removing full-access rights to Discover, Dashboard, Visualize, and Saved Objects Management
• For Gold, Platinum, or Enterprise users: apply sub-feature privilege controls to prevent Short URL creation while preserving general access to features

These mitigation strategies are applicable across self-hosted and Elastic Cloud environments.

Related Posts:

• CVE-2025-25015 (CVSS 9.9): Critical Code Execution Vulnerability Patched in Elastic Kibana
• Chrome Update: 5 Security Fixes, High-Risk Flaws Addressed ASAP
• High-Severity Flaw in Kibana: Unauthorized Access Possible in Synthetic Monitoring!
• Kibana Code Injection Vulnerability: Prototype Pollution Threat (CVE-2024-12556)
• CVE-2024-37287 (CVSS 9.9): Urgent Kibana Patch for Severe Security Vulnerability