Visualizations Weaponized: New Kibana Flaw Allows XSS Attacks via Vega Charts

Elastic has issued important security updates for Kibana, the popular data visualization dashboard for the Elastic Stack, after discovering a high-severity vulnerability that allows attackers to turn charts and graphs into weapons. Tracked as CVE-2025-68385, the flaw carries a CVSS score of 7.2 and allows authenticated users to execute Cross-Site Scripting (XSS) attacks by exploiting a gap in the Vega visualization tool.

Kibana allows users to create custom visualizations using Vega, a powerful declarative language for creating interactive designs. While this flexibility is a feature, it is also a security frontier.

According to the disclosure, the issue stems from “Improper neutralization of input during web page generation.” Specifically, a method within Vega was found to bypass previous XSS defenses.

This loophole allows an authenticated user—such as a rogue analyst or an attacker who has compromised a lower-level account—to embed malicious scripts inside a visualization. When another user (potentially an administrator with higher privileges) views that dashboard, the script executes in their browser. This could lead to session hijacking, unauthorized actions, or data exfiltration.

The blast radius for this vulnerability is extensive, affecting nearly all recent major versions of the platform.

Version 7.x: All versions are affected.
Version 8.x: Vulnerable from 8.0.0 up to 8.19.8.
Version 9.x: Vulnerable from 9.0.0 up to 9.1.8, and 9.2.0 up to 9.2.2.

Elastic has released patches to close this loophole and reinforce the Vega sanitization process. Administrators are urged to upgrade to the following versions immediately:

v8.19.9
v9.1.9
v9.2.3

Users on 7.x should likely prioritize a major version upgrade.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply