Elastic Patches Two Kibana Flaws — SSRF (CVE-2025-37734) and XSS (CVE-2025-59840) Flaws Affect Multiple Versions
Do Son 
Elastic has issued two security advisories addressing two vulnerabilities in Kibana, the visualization and analytics dashboard component of the Elastic Stack, which could enable server-side request forgery (SSRF) and DOM-based cross-site scripting (XSS) attacks.
The two flaws — CVE-2025-37734 (CVSS 4.3) and CVE-2025-59840 (CVSS 8.7) — affect multiple Kibana versions across both Elastic Cloud and self-hosted environments. Users are strongly urged to upgrade to versions 8.19.7, 9.1.7, or 9.2.1, which fully patch the vulnerabilities.
The first flaw, CVE-2025-37734, is an Origin Validation Error in Kibana that can result in a Server-Side Request Forgery (SSRF) vulnerability.
“Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant,” Elastic’s advisory explained.
This issue impacts deployments using the Observability AI Assistant, a feature introduced to assist users in natural language queries and data exploration. Attackers could exploit the flaw by sending maliciously crafted HTTP requests with spoofed Origin headers, potentially tricking Kibana into fetching or transmitting sensitive internal data.
The second vulnerability, CVE-2025-59840, carries a much higher CVSS score of 8.7, making it a high-severity issue. This bug stems from improper input sanitization in Kibana’s Vega visualization engine, which could allow attackers to execute arbitrary JavaScript in the victim’s browser.
“Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) in Kibana can lead to DOM-based XSS due to the use of Vega,” Elastic wrote in the advisory.
Because Vega visualizations are enabled by default, nearly all Kibana instances are potentially vulnerable unless administrators manually disable the feature.
Elastic noted that its Elastic Cloud Serverless infrastructure was patched before public disclosure. Users are strongly urged to upgrade to versions 8.19.7, 9.1.7, or 9.2.1, which fully patch the vulnerabilities.
For users unable to update right away, the company provides interim mitigations depending on deployment type:
Self-hosted Kibana Instances
Administrators can disable Vega visualizations by editing the configuration file:
Elastic cautions, however, that this will disable all Vega charts in Kibana.
Elastic Cloud Users
“For Elastic Cloud services deployments, you can reach out to Elastic Support to request that Vega visualizations are disabled in your deployments,” the advisory advises.
Related Posts:
- Elastic Fixes Multiple High-Severity Vulnerabilities in Kibana and Elasticsearch
- New Vega Stealer malware used Microsoft Word as an attack vector
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
