Elastic has rolled out security updates to handle a essential security flaw impacting the Kibana information visualization dashboard software program for Elasticsearch that might end in arbitrary code execution.
The vulnerability, tracked as CVE-2025-25012, carries a CVSS rating of 9.9 out of a most of 10.0. It has been described as a case of prototype air pollution.
“Prototype air pollution in Kibana results in arbitrary code execution through a crafted file add and particularly crafted HTTP requests,” the corporate mentioned in an advisory launched Wednesday.
Prototype air pollution vulnerability is a security flaw that permits attackers to control an software’s JavaScript objects and properties, doubtlessly resulting in unauthorized information entry, privilege escalation, denial-of-service, or distant code execution.
The vulnerability impacts all variations of Kibana between 8.15.0 and eight.17.3. It has been addressed in model 8.17.3.
That mentioned, in Kibana variations from 8.15.0 and prior to eight.17.1, the vulnerability is exploitable solely by customers with the Viewer function. In Kibana variations 8.17.1 and eight.17.2, it could solely be exploited by customers which have all of the below-mentioned privileges –
- fleet-all
- integrations-all
- actions:execute-advanced-connectors
Customers are suggested to take steps to use the most recent fixes to safeguard in opposition to potential threats. Within the occasion fast patching just isn’t an choice, customers are really useful to set the Integration Assistant characteristic flag to false (“xpack.integration_assistant.enabled: false”) in Kibana’s configuration (“kibana.yml”).
In August 2024, Elastic addressed one other essential prototype air pollution flaw in Kibana (CVE-2024-37287, CVSS rating: 9.9) that might result in code execution. A month later, it resolved two extreme deserialization bugs (CVE-2024-37288, CVSS rating: 9.9 and CVE-2024-37285, CVSS rating: 9.1) that might additionally allow arbitrary code execution.
