Kibana Security Update – Patch for Vulnerability Leads to Code Injection

Elastic has released critical security updates for Kibana, addressing a high-severity vulnerability that could allow attackers to inject malicious code into affected systems. 

The security update patches a prototype pollution vulnerability that, when exploited, could lead to remote code execution through a sophisticated attack chain.

The flaw, identified as CVE-2024-12556 with a CVSS score of 8.7 (High), affects Kibana versions 8.16.1 through 8.17.1. 

Kibana Vulnerability Details

Security researchers discovered that attackers could exploit a prototype pollution weakness combined with unrestricted file upload and path traversal techniques to achieve code injection.

Prototype pollution is a vulnerability specific to JavaScript and Node.js applications that allows attackers to manipulate an object’s prototype, introducing or overwriting properties that should not be accessible. 

When successfully exploited in Kibana, this vulnerability creates a dangerous attack vector through which malicious actors can:

• Upload files containing harmful code.
• Use path traversal to write to unintended locations.
• Pollute object prototypes to affect server logic.
• Execute arbitrary code within the Kibana environment.

The vulnerability has been confirmed as remotely exploitable, with an impact score of 5.8 and an exploitability score of 2.3.

The summary of the vulnerability is given below:

Mitigation 

Elastic strongly recommends that all affected users upgrade immediately to Kibana version 8.16.4 or 8.17.2 (or higher), depending on their current deployment branch.

These patched versions include fixes that prevent the prototype pollution attack vector.

For organizations that cannot immediately update their Kibana installations, a temporary mitigation is available. Administrators can disable the Integration Assistant feature by adding the following configuration line to their kibana.yml file:

This configuration change prevents exploitation of the vulnerability while organizations prepare for a complete upgrade.

This security update comes amid increasing concerns about prototype pollution vulnerabilities in JavaScript-based applications. 

Earlier this year, Elastic addressed another critical prototype pollution issue in Kibana (ESA-2025-06, CVE-2025-25015) that could lead to arbitrary code execution with a CVSS score of 9.9.

These vulnerabilities highlight the importance of promptly applying security updates to data visualization and analytics platforms, especially those handling sensitive organizational data.

Security experts emphasize that organizations running outdated versions should accelerate their upgrade plans, as version 7.9.0 and other older releases may be vulnerable to multiple security issues. 

The Elastic documentation specifically notes that rolling upgrades are unsupported in Kibana, meaning all instances must be shut down before upgrading to prevent data loss or upgrade failures.

Organizations using Kibana should review their security posture, ensure proper access controls are in place, and implement the recommended mitigations to protect against this and other potential vulnerabilities in their data visualization infrastructure.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free