Elastic has issued a critical security update to address a severe vulnerability in its Kibana data visualization dashboard, which could enable attackers to execute arbitrary code on affected systems. The flaw, identified as CVE-2025-25012, has been assigned a CVSS score of 9.9 out of 10, underscoring its severity.
Nature of the Vulnerability
The vulnerability arises from a prototype pollution issue within Kibana. Prototype pollution is a type of security flaw that allows attackers to manipulate an application’s JavaScript objects and properties. This manipulation can lead to unauthorized data access, privilege escalation, denial-of-service, or, as in this case, remote code execution. Specifically, the flaw can be exploited through a crafted file upload combined with specially crafted HTTP requests.
Affected Versions
All Kibana versions from 8.15.0 up to, but not including, 8.17.3 are affected by this vulnerability. The exploitability varies depending on the version:
- Versions 8.15.0 to 8.17.0: Exploitable by users with the ‘Viewer’ role.
- Versions 8.17.1 and 8.17.2: Exploitable by users possessing all of the following privileges:
fleet-allintegrations-allactions:execute-advanced-connectors
Recommended Actions
Users are strongly advised to upgrade to Kibana version 8.17.3 immediately to mitigate this vulnerability. For those who cannot apply the update promptly, a temporary workaround involves disabling the Integration Assistant feature by setting xpack.integration_assistant.enabled: false in the Kibana configuration file (kibana.yml).
Previous Similar Vulnerabilities
This is not the first time Kibana has faced critical security issues. In August 2024, Elastic addressed another critical prototype pollution flaw (CVE-2024-37287) that could lead to code execution. Subsequently, in September 2024, two severe deserialization vulnerabilities (CVE-2024-37288 and CVE-2024-37285) were also patched, both of which could permit arbitrary code execution.
Conclusion
Given the critical nature of CVE-2025-25012, it is imperative for organizations using affected versions of Kibana to apply the necessary updates or mitigations without delay to protect their systems from potential exploitation.