Elastic Fixes Multiple High-Severity Vulnerabilities in Kibana and Elasticsearch

Elastic has issued five security advisories addressing five vulnerabilities affecting its Kibana and Elasticsearch components, including three critical Cross-Site Scripting (XSS) issues and two information disclosure vulnerabilities. The most severe flaw, CVE-2025-25009, carries a CVSS score of 8.7 and could allow attackers to execute arbitrary scripts within Kibana via malicious file uploads.

Stored XSS via Case File Upload (CVE-2025-25009)

The first and most critical flaw, CVE-2025-25009, affects Kibana’s case file upload functionality. An attacker with file upload privileges could craft a malicious file to inject JavaScript into stored pages, leading to persistent XSS attacks.

Elastic notes that the attacker “requires the ability to upload files to Kibana,” referring administrators to the case management documentation for context. Once exploited, this vulnerability could allow data theft, session hijacking, or privilege escalation within Kibana dashboards.

The flaw affects:

• Kibana 7.x: All versions ≤ 7.17.29
• Kibana 8.x–9.x: All versions up to 9.1.4

Elastic has patched the issue in Kibana 8.18.8, 8.19.5, 9.0.8, and 9.1.5. For environments that cannot immediately upgrade, the company suggests enabling the advanced setting discover:searchFieldsFromSource: true (for 7.12–8.19.0), though it warns, “There are no workarounds for 9.0+.”

Vega Visualization XSS (CVE-2025-25017)

Another high-severity vulnerability, CVE-2025-25017 (CVSS 8.2), impacts Kibana’s Vega visualization engine, which supports dynamic, data-driven visual content. Elastic explains, “Improper Neutralization of Input During Web Page Generation in Vega visualizations in Kibana can lead to Cross-Site-Scripting (XSS).”

This flaw affects all Kibana configurations, meaning any deployment with Vega enabled is vulnerable. The issue arises from unvalidated inputs within Vega visualization specifications, allowing attackers to inject malicious JavaScript.

Elastic’s recommended mitigation for users who cannot upgrade is to disable Vega visualizations entirely:

“For on premise installations, you can set vis_type_vega.enabled: false in kibana.yml file. Note that this will disable all Vega charts in Kibana.”

Elastic Cloud customers can request support to have the feature disabled at the deployment level.

Fleet and Integrations Management XSS (CVE-2025-25018)

A third stored XSS vulnerability, CVE-2025-25018 (CVSS 8.7), affects the Fleet and Integrations management interface within Kibana. Elastic warns that “Improper Validation of Specified Type of Input in Kibana can lead to stored Cross-Site-Scripting (XSS).”

This issue requires the attacker to possess a role that includes “All permissions under Management for Fleet and Integrations.” Once exploited, it could allow embedded malicious payloads to execute within administrative dashboards, potentially compromising other users’ sessions.

Elastic advises upgrading to 8.18.8, 8.19.5, 9.0.8, or 9.1.5 to remediate the issue.

Sensitive Data Exposure in Elasticsearch (CVE-2025-37727)

Beyond Kibana, Elastic’s advisory also details CVE-2025-37727 (CVSS 5.3), a sensitive information disclosure vulnerability in Elasticsearch’s audit logging system.

Elastic describes the issue as “Insertion of sensitive information in log file in Elasticsearch [that] can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API.”

The flaw manifests when all three of the following conditions are met:

• Audit logging is enabled (xpack.security.audit.enabled: true)
• Authentication success events are logged
• Request body logging is enabled (xpack.security.audit.logfile.events.emit_request_body: true)

Because these options are rarely all active by default, the vulnerability has limited impact, but still poses risks for regulated environments where audit logs may capture sensitive payloads.

Elastic resolved the issue in the same fixed versions (8.18.8, 8.19.5, 9.0.8, 9.1.5) and advises users who cannot upgrade to set emit_request_body: false to prevent exposure.

Credential Leakage in CrowdStrike Connector (CVE-2025-37728)

The fifth vulnerability, CVE-2025-37728 (CVSS 5.4), affects Kibana instances that use the Elastic–CrowdStrike connector, a feature that enables automated incident correlation between the two platforms.

Elastic warns that “Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked.”

A malicious user could access cached credentials from another workspace by creating a new connector within their own space. Elastic urges all users leveraging the CrowdStrike connector to upgrade to 8.18.8 or higher to prevent this type of credential cross-access.

Patching Guidance and Final Recommendations

Elastic strongly recommends that all users — both self-managed and Elastic Cloud — update to the latest patched releases:

• 8.18.8
• 8.19.5
• 9.0.8
• 9.1.5

The company emphasizes that many of these vulnerabilities involve stored XSS vectors, which can persist across user sessions and require minimal user interaction to trigger.

“Users should upgrade to the versions below or later,” Elastic states across multiple CVE advisories, highlighting the importance of timely updates and configuration review.

For administrators unable to patch immediately, Elastic advises disabling risky components — such as Vega visualizations — and tightening audit configurations to reduce exposure.

Related Posts:

• New Vega Stealer malware used Microsoft Word as an attack vector
• CVE-2025-25015 (CVSS 9.9): Critical Code Execution Vulnerability Patched in Elastic Kibana
• High-Severity Flaw in Kibana: Unauthorized Access Possible in Synthetic Monitoring!
• Critical Kibana Flaws: CVE-2025-2135 (CVSS 9.9) Allows Heap Corruption & RCE; Open Redirect Also Patched