Elastic has swiftly deployed security updates to neutralize a critical vulnerability within Kibana, the powerful data visualization tool integrated with Elasticsearch. This exploit, if left unchecked, could permit malicious actors to execute arbitrary code within compromised environments.
Designated CVE-2025-25012, this flaw boasts a CVSS severity rating of 9.9/10, categorizing it as an extreme security risk. The underlying issue stems from prototype pollution, a perilous JavaScript vulnerability that allows attackers to manipulate the fundamental structure of application objects.
Prototype pollution in Kibana facilitates arbitrary code execution via a deliberately crafted file upload and specifically tailored HTTP requests,” Elastic warned in a security advisory issued on Wednesday.
Vulnerability Impact & Affected Versions
Prototype pollution is an insidious security defect that enables adversaries to tamper with JavaScript object prototypes, potentially triggering a cascade of security breaches—ranging from unauthorized data access and privilege escalation to denial-of-service (DoS) attacks and remote code execution (RCE).
The vulnerability affects Kibana versions 8.15.0 through 8.17.3, with Elastic delivering a fix in version 8.17.3.
However, the exploitability varies based on the Kibana release:
- Versions 8.15.0 to 8.17.1: Only users possessing the Viewer role can leverage this flaw.
- Versions 8.17.1 and 8.17.2: Exploitation requires users to hold all the following privileges:
- fleet-all
- integrations-all
- actions:execute-advanced-connectors
Mitigation & Remediation
Elastic urges all Kibana users to implement the latest patches immediately. If immediate patching is infeasible, a temporary mitigation involves disabling the Integration Assistant.
Prior Security Concerns in Kibana
This is not the first instance of a critical prototype pollution flaw affecting Kibana. In August 2024, Elastic addressed CVE-2024-37287 (CVSS score: 9.9), another severe vulnerability capable of leading to arbitrary code execution. One month later, the company resolved two additional deserialization vulnerabilities (CVE-2024-37288 and CVE-2024-37285, scoring 9.9 and 9.1 respectively), both of which could be exploited for remote execution of malicious code.
Call to Action
Organizations relying on Kibana should urgently upgrade to version 8.17.3 or apply the recommended mitigation steps. Given the severity of the flaw, delaying action could expose critical infrastructures to exploitation.
