Elastic has rolled out safety updates to deal with a vital safety flaw impacting the Kibana knowledge visualization dashboard instrument for Elasticsearch that might lead to arbitrary code execution.
The vulnerability, tracked as CVE-2025-25012, carries a CVSS ranking of 9.9 out of a most of 10.0. It’s been described as a case of prototype air pollution.
“Prototype air pollution in Kibana ends up in arbitrary code execution by the use of a crafted document add and in particular crafted HTTP requests,” the corporate mentioned in an advisory launched Wednesday.
Prototype air pollution vulnerability is a safety flaw that permits attackers to control an utility’s JavaScript gadgets and homes, probably resulting in unauthorized knowledge get right of entry to, privilege escalation, denial-of-service, or faraway code execution.
The vulnerability impacts all variations of Kibana between 8.15.0 and eight.17.3. It’s been addressed in model 8.17.3.
That mentioned, in Kibana variations from 8.15.0 and prior to eight.17.1, the vulnerability is exploitable handiest through customers with the Viewer function. In Kibana variations 8.17.1 and eight.17.2, it could actually handiest be exploited through customers that experience all of the below-mentioned privileges –
- fleet-all
- integrations-all
- movements:execute-advanced-connectors
Customers are steered to take steps to use the most recent fixes to safeguard towards attainable threats. Within the tournament quick patching isn’t an choice, customers are beneficial to set the Integration Assistant function flag to false (“xpack.integration_assistant.enabled: false”) in Kibana’s configuration (“kibana.yml”).
In August 2024, Elastic addressed some other vital prototype air pollution flaw in Kibana (CVE-2024-37287, CVSS ranking: 9.9) that might result in code execution. A month later, it resolved two serious deserialization insects (CVE-2024-37288, CVSS ranking: 9.9 and CVE-2024-37285, CVSS ranking: 9.1) that might additionally allow arbitrary code execution.