Critical Kibana Flaw: Elastic Patches Code Execution Vulnerability
Elastic addresses a critical vulnerability in Kibana, enabling arbitrary code execution. Learn how this flaw impacts Elasticsearch visualization and how to mitigate risks.
TL;DR
Elastic has released a critical security update for Kibana, addressing a vulnerability that allows arbitrary code execution through prototype pollution. Users are urged to upgrade to version 8.17.3 or apply mitigation strategies to prevent exploitation.
Critical Kibana Flaw: Elastic Patches Code Execution Vulnerability
Elastic has addressed a critical vulnerability in Kibana, the data visualization dashboard software for Elasticsearch, which could lead to arbitrary code execution. Tracked as CVE-2025-25012 with a CVSS score of 9.9, this flaw poses a significant security risk.
Understanding Kibana and Elasticsearch
Kibana is a powerful visualization tool that works with Elasticsearch to create insightful visualizations from indexed data. Users can generate various charts and maps to analyze large volumes of data effectively.
Vulnerability Overview
The vulnerability allows attackers to execute arbitrary code by uploading a specially crafted file and using specifically crafted HTTP requests. This type of attack, known as prototype pollution, manipulates an object’s prototype in JavaScript applications, leading to unexpected behavior and security risks.
Prototype Pollution is a class of vulnerabilities in JavaScript runtimes that allows attackers to overwrite arbitrary properties in an object’s prototype. In a prototype pollution attack, attackers inject properties into existing JavaScript construct prototypes, trying to compromise the application.
Impacted Versions and Mitigation
The flaw affects Kibana versions between 8.15.0 and 8.17.3. Elastic has released version 8.17.3 to address this issue. Here are the specific impacts:
- Kibana 8.15.0 to 8.17.1: Vulnerable to users with the Viewer role.
- Kibana 8.17.1 and 8.17.2: Vulnerable to users with
fleet-all
,integrations-all
, andactions:execute-advanced-connectors
privileges.
For users who cannot upgrade immediately, setting xpack.integration_assistant.enabled: false
in Kibana’s configuration can mitigate the risk.
Stay Informed
Follow Pierluigi Paganini on Twitter, Facebook, and Mastodon for the latest updates on cybersecurity.
Additional Resources
For further insights, check:
- Cybersecurity & Data Protection Affairs: Elastic Kibana Critical Flaw
- Prototype Pollution Prevention Cheat Sheet - OWASP
Stay vigilant and ensure your systems are protected against this critical vulnerability.