A critical security vulnerability has been uncovered in Kibana. Tracked as CVE-2025-25015 (CVSS 9.9), the vulnerability arises from prototype pollution, which could allow attackers to execute arbitrary code on affected systems, thus posing a serious risk to businesses that employ Kibana for monitoring and data analysis.
Kibana is an open-source data visualization and exploration tool for the Elastic Stack. It allows users to analyze and visualize log data, monitor system performance, and create dashboards from Elasticsearch data. Everyday use cases include log analysis, security monitoring, and business intelligence.
Prototype Pollution? What’s that?
Prototype pollution is an injection attack that targets JavaScript runtimes. JavaScript is a prototype-based OOP language. Each object is linked to a “prototype.” When we invoke a method on an object, JavaScript will first check to see if the method is explicitly defined for the given object. If not, it will look for its definition on the object’s prototype.
Prototype pollution occurs when the attacker can inject values that overwrite or modify the default values of an object’s prototype. What’s worse, if a prototype is shared by two or more objects, which usually is the case, all objects will reflect these modifications. This allows the attacker to tamper with the application’s logic, which could lead to a Denial-of-Service (DoS) or Remote Code Execution (RCE).
How is Kibana affected?
Attackers can exploit the prototype pollution vulnerability in Kibana by uploading a specially crafted file and sending maliciously crafted HTTP requests, thus achieving code execution.
- Kibana versions from 8.15.0 (including) to 8.17.1 (excluding): The vulnerability is exploitable by users with the Viewer role.
- Kibana versions from 8.17.1 (including) to 8.17.3 (excluding): In these versions, the vulnerability is limited to exploitation by users that have all the following privileges:
fleet-all
,integrations-all
,actions:execute-advanced-connectors
A Glimpse into the past
In August 2024, Elastic addressed CVE-2024-37287 (CVSS 9.9), another critical prototype pollution flaw in Kibana that also led to code execution.
Solutions and Mitigations
- Elastic has released the fix for CVE-2025-25015 in Kibana version 8.17.3. We strongly recommend that users patch their Kibana deployments.
- For Users who cannot upgrade, disable the integration assistant by setting
xpack.integration_assitant.enabled: false
in Kibana’s Configuration.
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
