Elastic has deployed security updates to address critical security flaws affecting ElasticSearch’s Kibana Data Visualization Dashboard software that can lead to arbitrary code execution.
The vulnerability tracked as CVE-2025-25012 has a CVSS score of 9.9 out of a maximum of 10.0. It is described as a case of prototype contamination.
“Kibana prototype pollution leads to arbitrary code execution via uploading created files and specifically creating HTTP requests,” the company said in an advisory released Wednesday.
Prototype pollution vulnerabilities are security flaws that allow attackers to manipulate JavaScript objects and properties in applications, which can lead to unauthorized data access, privilege escalation, denial of service, or remote code execution.
The vulnerability affects all versions of Kibana between 8.15.0 and 8.17.3. Addressed in version 8.17.3.
That said, in Kibana versions from 8.15.0, vulnerabilities can only be exploited by users with the viewer role in versions prior to 8.17.1. In Kibana versions 8.17.1 and 8.17.2, it is only exploited by users with all of the following privileges –
Fleet-All Integrations-All Action: Execute-Advanced-Connectors
Users are encouraged to take steps to apply the latest fixes to protect against potential threats. If immediate patching is not an option, users are advised to set the Integration Assistant Feature flag to false (“xpack.integration_assistant.enabled:false:false”) (“kibana.yml”).
In August 2024, elasticity addressed another important prototype contamination flaw in Kibana (CVE-2024-37287, CVSS score: 9.9) that could lead to code execution. One month later, two severe deups bugs were resolved (CVE-2024-37288, CVSS score: 9.9 and CVE-2024-37285, CVSS score: 9.1).
Source link
