A critical safety weakness that could lead to arbitrary code execution is being fixed by Elastic with the release of security updates.
The risk, tracked as CVE-2025-25012, carries a CVSS report of 9.9 out of a maximum of 10.0. It has been referred to as a case of design pollutants.
In a Wednesday advice, the company stated that “prototype waste in Kibana results in arbitrary script execution via a crafted file upload and particularly crafted HTTP requests.”
A JavaScript object and property vulnerability known as the prototype pollution vulnerability allows attackers to manipulate an application’s Browser objects and properties, possibly leading to unauthorised data access, privilege escalation, denial of service, or distant code execution.
The risk affects all Kibana variations between version 8.15.0 and version 8.17.3. It has been addressed in edition 8.1. 3.0.
However, in Kibana versions prior to and after 8.15.0, the vulnerability is simply accessible by users with the Viewer part. People who have all the above-mentioned privileges can only be able to exploit it in Kibana variations 8.17.1 and 8.17.2.
- fleet-all
- integrations-all
- actions:execute-advanced-connectors
People are advised to take precautions to use the most recent fixes to protect against potential threats. Users are advised to set the Integration Assistant feature flag to false ( “xpack” ) in the event that immediate patching is not an option. integration_assistant. enabled: false” ) in Kibana’s setup ( “kibana. yml” ).
Another crucial prototype pollution flaw in Kibana ( , CVSS score: 9.9 ) that could lead to code execution was addressed by Elastic in August 2024. A month later, it resolved ( CVE-2024-37288, CVSS score: 9.9 and CVE-2024-37285, CVSS score: 9.1 ) that could also permit arbitrary code execution.