Elastic patches critical Kibana flaw allowing code execution

Elastic patches critical Kibana flaw allowing code execution

Elastic patches critical Kibana flaw allowing code execution

Pierluigi Paganini
Elastic patches critical Kibana flaw allowing code execution March 06, 2025

Elastic patches critical Kibana flaw allowing code execution

Elastic fixed a critical flaw in the Kibana data visualization dashboard software for Elasticsearch that could lead to arbitrary code execution.

Elastic released security updates to address a critical vulnerability, tracked as CVE-2025-25012 (CVSS score of 9.9), impacting the Kibana data visualization dashboard software for Elasticsearch.

Kibana provides visualization capabilities on top of the content indexed on an Elasticsearch cluster. Users can create bar, line and scatter plots, or pie charts and maps on top of large volumes of data.

An attacker could exploit the vulnerability to gain arbitrary code execution by uploading a specially crafted file and using specifically crafted HTTP requests.

“Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests.” reads the advisory. “In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-allintegrations-allactions:execute-advanced-connectors

Prototype Pollution is a type of vulnerability in JavaScript applications where an attacker can manipulate an object’s prototype, leading to unexpected behavior, security issues, or even remote code execution.

The flaw impacts all software versions between 8.15.0 and 8.17.3. The company addressed the flaw with the release of version 8.17.3.

In Kibana 8.15.0 to 8.17.1, the vulnerability affects users with the Viewer role. In 8.17.1 and 8.17.2, it requires fleet-all, integrations-all, and actions:execute-advanced-connectors privileges.

For users who cannot upgrade, set xpack.integration_assistant.enabled: false in Kibana’s configuration as a mitigation.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, code execution)







Source link