Critical Kibana Vulnerability Let Attackers Execute Arbitrary Code
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Elastic has disclosed a critical security vulnerability in Kibana, its popular data visualization platform, that could allow attackers to execute arbitrary code.
The vulnerability, identified as CVE-2025-25014, affects multiple versions of Kibana and has received a CVSS score of 9.1 out of 10, classifying it as critical.
Given Kibana’s integration into enterprise monitoring and analytics stacks across industries, this vulnerability has the potential to impact a broad range of organizations.
Prototype Pollution in Kibana
According to the security advisory released on May 6, the vulnerability is a prototype pollution issue that enables attackers to execute arbitrary code via crafted HTTP requests specifically targeting Kibana’s Machine Learning and Reporting endpoints.
“A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints,” the advisory states.
Prototype pollution is a technique where attackers manipulate JavaScript object prototypes, potentially allowing them to inject malicious properties that may override application logic.
The vulnerability affects Kibana versions 8.3.0 to 8.17.5, 8.18.0, and 9.0.0. Both self-hosted Kibana instances and Elastic Cloud deployments are vulnerable, but only if they have both Machine Learning and Reporting features enabled.
For Elastic Cloud deployments, code execution is limited within the Kibana Docker container, with further exploitation such as container escape prevented by seccomp-bpf and AppArmor profiles.
Security experts warn that Kibana deployments are often connected to sensitive infrastructure monitoring data, making this vulnerability particularly concerning for organizations using Kibana for operational intelligence.
The technical details of the vulnerability suggest that attackers with the appropriate access could craft specialized HTTP requests that exploit the prototype pollution vulnerability to gain code execution privileges.
The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A: H) indicates that exploitation requires high privileges but could result in high impacts to confidentiality, integrity, and availability.
Risk Factors Details Affected ProductsKibana versions 8.3.0 to 8.17.5, 8.18.0, and 9.0.0ImpactArbitrary code execution via prototype pollution in JavaScript objectsExploit Prerequisites– Both Machine Learning AND Reporting features enabled- High-privilege attacker access CVSS 3.1 Score9.1 (Critical)
Official Solutions and Workarounds
Elastic recommends that users upgrade immediately to the patched versions: 8.17.6, 8.18.1, or 9.0.1.
For users unable to update immediately, Elastic has provided alternative mitigation strategies.
Users who cannot upgrade should disable either the Machine Learning or the reporting feature. To disable Machine Learning, administrators can add the following line to the kibana.yml configuration file:
Alternatively, self-hosted users can disable just the anomaly detection feature with:
If organizations prefer to keep Machine Learning enabled, they can instead disable the Reporting feature by adding:
In the advisory announcement, Paul from the Elastic Team said, “Disabling either feature is sufficient to mitigate the vulnerability. “
The discovery comes just two months after Elastic addressed another critical prototype pollution vulnerability (CVE-2025-25015) in March, which had a CVSS score of 9.9. That vulnerability affected Kibana versions 8.15.0 to 8.17.2.
Organizations using Kibana are advised to audit their deployments to ensure they’re not vulnerable, apply the necessary patches, and consider implementing network-level controls to restrict access to Kibana instances to trusted users and networks.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Critical Kibana Vulnerability Let Attackers Execute Arbitrary Code
Author: Guru BaranElastic has disclosed a critical security vulnerability in Kibana, its popular data visualization platform, that could allow attackers to execute arbitrary code.
The vulnerability, identified as CVE-2025-25014, affects multiple versions of Kibana and has received a CVSS score of 9.1 out of 10, classifying it as critical.
Given Kibana’s integration into enterprise monitoring and analytics stacks across industries, this vulnerability has the potential to impact a broad range of organizations.
Prototype Pollution in Kibana
According to the security advisory released on May 6, the vulnerability is a prototype pollution issue that enables attackers to execute arbitrary code via crafted HTTP requests specifically targeting Kibana’s Machine Learning and Reporting endpoints.
“A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints,” the advisory states.
Prototype pollution is a technique where attackers manipulate JavaScript object prototypes, potentially allowing them to inject malicious properties that may override application logic.
The vulnerability affects Kibana versions 8.3.0 to 8.17.5, 8.18.0, and 9.0.0. Both self-hosted Kibana instances and Elastic Cloud deployments are vulnerable, but only if they have both Machine Learning and Reporting features enabled.
For Elastic Cloud deployments, code execution is limited within the Kibana Docker container, with further exploitation such as container escape prevented by seccomp-bpf and AppArmor profiles.
Security experts warn that Kibana deployments are often connected to sensitive infrastructure monitoring data, making this vulnerability particularly concerning for organizations using Kibana for operational intelligence.
The technical details of the vulnerability suggest that attackers with the appropriate access could craft specialized HTTP requests that exploit the prototype pollution vulnerability to gain code execution privileges.
The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A: H) indicates that exploitation requires high privileges but could result in high impacts to confidentiality, integrity, and availability.
Risk Factors Details Affected ProductsKibana versions 8.3.0 to 8.17.5, 8.18.0, and 9.0.0ImpactArbitrary code execution via prototype pollution in JavaScript objectsExploit Prerequisites– Both Machine Learning AND Reporting features enabled- High-privilege attacker access CVSS 3.1 Score9.1 (Critical)
Official Solutions and Workarounds
Elastic recommends that users upgrade immediately to the patched versions: 8.17.6, 8.18.1, or 9.0.1.
For users unable to update immediately, Elastic has provided alternative mitigation strategies.
Users who cannot upgrade should disable either the Machine Learning or the reporting feature. To disable Machine Learning, administrators can add the following line to the kibana.yml configuration file:
Alternatively, self-hosted users can disable just the anomaly detection feature with:
If organizations prefer to keep Machine Learning enabled, they can instead disable the Reporting feature by adding:
In the advisory announcement, Paul from the Elastic Team said, “Disabling either feature is sufficient to mitigate the vulnerability. “
The discovery comes just two months after Elastic addressed another critical prototype pollution vulnerability (CVE-2025-25015) in March, which had a CVSS score of 9.9. That vulnerability affected Kibana versions 8.15.0 to 8.17.2.
Organizations using Kibana are advised to audit their deployments to ensure they’re not vulnerable, apply the necessary patches, and consider implementing network-level controls to restrict access to Kibana instances to trusted users and networks.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
