Critical Kibana Vulnerability Exposes Users to Code Execution Risk
Elastic has released urgent security updates following the discovery of a critical vulnerability in Kibana, the visualization dashboard for Elasticsearch. This flaw, officially labeled as CVE-2025-25015, is particularly concerning due to its high CVSS score of 9.9 out of a possible 10. It is identified as a case of prototype pollution, which allows attackers to manipulate JavaScript objects and properties within the application.
According to Elastic’s advisory, the prototype pollution in Kibana makes it possible for malicious actors to execute arbitrary code through specially crafted file uploads and specific HTTP requests. This development could lead to unauthorized data access, privilege escalation, and even more severe outcomes such as denial-of-service scenarios.
The vulnerability impacts all Kibana versions from 8.15.0 to 8.17.3, with version 8.17.3 serving as the patch. Notably, users with lower privileges, such as those assigned the Viewer role, are at a greater risk of exploitation when using earlier versions. For Kibana versions 8.17.1 and 8.17.2, the vulnerability can only be exploited by users possessing specific elevated privileges, including fleet-all, integrations-all, and actions:execute-advanced-connectors.
Elastic clarified that the issue affects Kibana instances operating on Elastic Cloud infrastructure, but emphasized that the execution of malicious code is confined within the Kibana Docker container. Security measures like seccomp-bpf and AppArmor profiles limit further exploitation, such as container escapes. Self-managed Kibana instances using Basic or Platinum licenses remain unaffected.
For user protection, Elastic advises administrators to promptly apply the necessary patches. In cases where immediate updates are not feasible, users can mitigate risks by disabling the Integration Assistant feature in the configuration file (kibana.yml).
This vulnerability follows a history of critical security issues in Kibana. In August 2024, Elastic identified a prototype pollution flaw (CVE-2024-37287, CVSS 9.9) that also permitted code execution, and subsequently resolved two severe deserialization bugs in September 2024, highlighting ongoing vulnerabilities in the software.
Given the technical nature of this threat, it suggests adversary tactics associated with initial access through social engineering or compromised credentials, alongside persistence techniques that enable the exploitation of known vulnerabilities. Business owners must now remain vigilant, as the ramifications of these security lapses could lead to significant operational and reputational damage.
Organizations are encouraged to stay informed and proactive in applying security measures, as the evolving landscape of cybersecurity continues to pose risks to business continuity and data integrity.
