Elastic has released security updates to address a critical security vulnerability affecting the Kibana data visualization dashboard software for Elasticsearch, which could lead to arbitrary code execution.
The vulnerability, identified as CVE-2025-25012, has a CVSS score of 9.9 out of 10.0 and is classified as a prototype pollution vulnerability.
“A case of prototype pollution in Kibana can lead to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests,” the company stated in a security advisory released on Wednesday.
A prototype pollution vulnerability is a security flaw that allows attackers to manipulate an application’s JavaScript objects and properties, potentially resulting in unauthorized data access, privilege escalation, denial-of-service, or remote code execution.
The vulnerability affects all versions of Kibana between 8.15.0 and 8.17.3 and has been addressed in version 8.17.3.
However, in Kibana versions from 8.15.0 to 8.17.1, the vulnerability can only be exploited by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2, it can only be exploited by users with the following privileges:
- fleet-all
- integrations-all
- actions:execute-advanced-connectors
Users are advised to apply the latest security patches to protect against potential threats. If immediate patching is not possible, users can temporarily set the Integration Assistant feature flag to false (“xpack.integration_assistant.enabled: false”) in Kibana’s configuration (“kibana.yml”).
In August 2024, Elastic addressed another critical prototype pollution flaw in Kibana (CVE-2024-37287, CVSS score: 9.9) that could lead to code execution. A month later, it resolved two severe deserialization bugs (CVE-2024-37288, CVSS score: 9.9 and CVE-2024-37285, CVSS score: 9.1) that could also permit arbitrary code execution.
