CVE-2025-25014

Kibana arbitrary code execution via prototype pollution

CVSS 9.1 CRITICALEPSS 13.7%CWE-1321

In short

A flaw in Kibana allows attackers to manipulate how the application creates objects, leading to arbitrary code execution. This happens through specially crafted requests to machine learning and reporting features, letting attackers run any code on the server.

Technical detail

Prototype pollution vulnerability in Kibana's object handling allows attackers to inject malicious properties into prototype chains via crafted HTTP requests to machine learning and reporting endpoints, resulting in arbitrary code execution with server privileges. Attack requires network access to affected endpoints; no authentication bypass is needed if endpoints are exposed.

Summary generated and translated by AI from the official description.

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected products

Elastic · Kibana

public PoCs found — 1

githubgithub.com/davidxbors/CVE-2025-25014★ 1

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://discuss.elastic.co/t/kibana-8-17-6-8-18-1-or-9-0-1-security-update-esa-2025-07/377868