CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-25015

CVSS 9.9v3.1pub. 2025-03-05upd. 2025-10-02

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors

🤖 AI Analysis
How it works

The attacker exploits the prototype pollution mechanism (CWE-1321) by uploading a specially crafted file and sending appropriately constructed HTTP requests. Manipulation of JavaScript object prototypes allows injection and execution of malicious code on the server side. In Kibana versions >= 8.15.0 and < 8.17.1, the exploit is available to any user with the Viewer role. In versions 8.17.1 and 8.17.2, the vulnerability is exploitable only by users possessing all of the following permissions: fleet-all, integrations-all, and actions:execute-advanced-connectors.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely (RCE) in the context of the Kibana server, which may lead to complete system takeover, data breach, and compromise of integrity and availability of the environment.

Mitigation & patch

Kibana must be updated to version 8.17.3 or 8.16.6 according to information published by Elastic (ESA-2025-06). Details available at: https://discuss.elastic.co/t/kibana-8-17-3-8-16-6-security-update-esa-2025-06/375441

Who is affected

Elastic Kibana in versions >= 8.15.0 and < 8.17.1 (exploitable by users with Viewer role) and versions 8.17.1 and 8.17.2 (exploitable by users with fleet-all, integrations-all, actions:execute-advanced-connectors permissions).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Elastic Kibana

    APP
    Elastic
    8.15.0 – 8.16.6 (bez)8.17.0 – 8.17.3 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2019-7609CRITICAL10.0⚠ KEVten sam produkt

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. A...

CVE-2025-25014CRITICAL9.1PL ✓ten sam produkt

Prototype Pollution w Kibana prowadzące do RCE przez HTTP

CVE-2024-37285CRITICAL9.1PL ✓ten sam produkt

RCE przez deserializację YAML w Elastic Kibana

CVE-2024-37288CRITICAL9.9PL ✓ten sam produkt

Deserializacja YAML w Kibana umożliwia zdalne wykonanie kodu (RCE)

CVE-2024-37287CRITICAL9.1PL ✓ten sam produkt

RCE w Kibana — prototype pollution przez ML i Alerting connector