Severity Level: Critical
Title:
Critical Vulnerability in Kibana
Summary:
Vulnerability Details:
• CVE-2025-25014
• CVSS Score: 9.1 Critical
• A prototype pollution vulnerability exists in Kibana. This flaw allows remote attackers to execute
arbitrary code on affected Kibana instances by sending specially crafted HTTP requests to the
Machine Learning and Reporting endpoints. Both self-hosted and Elastic Cloud deployments are
affected if these features are enabled.
• Successful exploitation allows unauthenticated attackers to manipulate JavaScript object
prototypes, potentially overriding application logic and escalating to remote code execution. This
poses a severe risk to environments that process sensitive telemetry and analytics data.
Affected Versions
• Kibana 8.3.0 – 8.17.5
• Kibana 8.18.0
• Kibana 9.0.0
Fixed versions:
• Kibana Versions 8.17.6, 8.18.1, or 9.0.1
Recommendations:
We recommend updating the affected versions to the fixed or latest versions released by Kibana.
References:
click here