Elastic has released a security update to address a critical vulnerability in Kibana, its popular data visualization and exploration platform. The vulnerability, tracked as CVE-2025-25015 and assigned a CVSS score of 9.9, could allow attackers to execute arbitrary code on vulnerable systems.
Kibana is widely used to visualize and analyze data indexed in Elasticsearch. Kibana provides visualization capabilities on top of the content indexed on an Elasticsearch cluster. Users can create bar, line and scatter plots, or pie charts and maps on top of large volumes of data.
The vulnerability stems from a prototype pollution issue that can be exploited through a crafted file upload and specially crafted HTTP requests. “Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests,” the advisory states.
The impact of this vulnerability varies depending on the Kibana version:
- Versions 8.15.0 to 8.17.0: Exploitable by users with the ‘Viewer’ role.
- Versions 8.17.1 and 8.17.2: Exploitable by users with specific privileges (fleet-all, integrations-all, actions:execute-advanced-connectors).
“In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2, this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors,” clarifies the advisory.
Elastic has addressed the CVE-2025-25015 vulnerability in Kibana version 8.17.3 and strongly urges all users to upgrade to this version as soon as possible.
“Users should upgrade to Kibana version 8.17.3,” the advisory recommends.
For those unable to immediately upgrade, Elastic provides a temporary mitigation:
- Disable the Integration Assistant: Set xpack.integration_assistant.enabled: false in the Kibana configuration.
Users of Elastic Kibana are strongly encouraged to apply the necessary updates or mitigations to protect their systems from potential attacks.
Update on March 6:
Elastic corrected CVE from CVE-2025-25012 to CVE-2025-25015.
Related Posts:
- CVE-2024-37287 (CVSS 9.9): Urgent Kibana Patch for Severe Security Vulnerability
- CVE-2024-43707: Kibana Patches High Severity Vulnerability Exposing Sensitive Information
- Critical Kibana Flaws (CVE-2024-37288, CVE-2024-37285) Expose Systems to Arbitrary Code Execution
- 30 Exploitable Flaws: Alarming Study on Home Router Defaults
