Summary: Elastic has issued a security update for Kibana to rectify a critical vulnerability (CVE-2025-25012) that enables arbitrary code execution through a prototype pollution issue. This vulnerability, given a CVSS score of 9.9, affects multiple Kibana versions and requires users to upgrade to version 8.17.3 or implement mitigation strategies. Failure to address this vulnerability may expose systems to attacks, especially for users with specific privileges or roles.
Affected: Elastic Kibana
Keypoints :
- The vulnerability allows arbitrary code execution via crafted file uploads and HTTP requests.
- Versions 8.15.0 to 8.17.0 are exploitable by ‘Viewer’ role users, while versions 8.17.1 and 8.17.2 require specific privileges.
- Elastic recommends upgrading to Kibana version 8.17.3 or temporarily disabling the Integration Assistant to mitigate risks.