Elastic has disclosed a critical vulnerability in Kibana, its popular data visualization platform, identified as CVE-2025-25014. This vulnerability, with a CVSS score of 9.1, could allow attackers to execute arbitrary code by exploiting prototype pollution in the Machine Learning and Reporting endpoints of Kibana. It affects Kibana versions 8.3.0 to 8.17.5, 8.18.0, and 9.0.0, both self-hosted instances and Elastic Cloud deployments. The vulnerability is particularly concerning as Kibana is integrated into enterprise monitoring and analytics stacks, potentially impacting a wide range of organizations.
Prototype pollution occurs when attackers manipulate JavaScript object prototypes to inject malicious properties, overriding application logic. This vulnerability requires high privileges for exploitation, potentially compromising confidentiality, integrity, and availability. While Elastic Cloud deployments are somewhat protected by seccomp-bpf and AppArmor profiles, the risk remains high for self-hosted instances and those with Machine Learning and Reporting enabled. The CVSS vector suggests that exploitation could have severe consequences, especially given Kibana’s use in monitoring sensitive infrastructure data.
Elastic recommends that affected users upgrade to the patched versions, 8.17.6, 8.18.1, or 9.0.1, to address the issue. For those unable to upgrade immediately, Elastic suggests disabling either the Machine Learning or Reporting feature as a temporary mitigation. Users can disable the features by modifying configuration files, depending on which one they prefer to keep enabled. The advisory emphasizes that disabling either feature will mitigate the vulnerability until a patch can be applied.
This vulnerability follows a similar issue, CVE-2025-25015, which was addressed in March 2025, further highlighting the need for organizations using Kibana to stay vigilant. Elastic advises organizations to audit their Kibana deployments for vulnerabilities, apply the necessary patches, and implement network-level controls to restrict access to trusted users. The urgency to update Kibana deployments is clear, given the potential for significant exploitation and system compromise.
Reference:
