CVE-2025-25014 (CVSS 9.1): Prototype Pollution in Kibana Opens Door to Code Execution

Elastic has issued a critical security advisory for Kibana, warning users of a vulnerability tracked as CVE-2025-25014. Scoring a CVSS of 9.1, this flaw stems from a prototype pollution vulnerability that can lead to arbitrary code execution via specially crafted HTTP requests targeting Kibana’s Machine Learning and Reporting endpoints.

“A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints,” the advisory notes.

Prototype pollution vulnerabilities manipulate the underlying JavaScript object prototype, allowing attackers to inject malicious properties that may override application logic. In this case, it escalates to remote code execution—a worst-case scenario for monitoring environments often entrusted with sensitive telemetry and analytics.

The vulnerability impacts Kibana versions:

8.3.0 to 8.17.5
8.18.0
9.0.0

Both self-hosted and Elastic Cloud deployments are vulnerable if they have both Machine Learning and Reporting features enabled.

Elastic strongly advises users to upgrade immediately to the following fixed versions:

8.17.6
8.18.1
9.0.1

For users who are unable to upgrade, Elastic provides two mitigation paths:

Disable Machine Learning
- Add the following to kibana.yml: xpack.ml.enabled: false
- Alternatively, to disable only anomaly detection: xpack.ml.ad.enabled: false
Disable Reporting

- Add the following to kibana.yml: xpack.reporting.enabled: false

Elastic emphasizes that disabling either feature (ML or Reporting) is sufficient to mitigate the vulnerability in the short term.

If you operate a Kibana deployment within the affected versions, patch immediately. Where patching is not feasible, disable either the Machine Learning or Reporting modules to block exploit paths.

5/5 - (1 vote)

Related Posts:

Leave a Reply Cancel reply