On Wednesday, March 5th, Kibana disclosed a security vulnerability with a Critical CVSS score of 9.9 impacting versions 8.15.0 through 8.17.2, with 8.17.3 being patched to fully remediate the vulnerability. The vulnerability, known as prototype pollution, revolves around the malicious crafting of file uploads and the sending HTTP requests leading to arbitrary code execution on the host machine. This issue is being tracked as CVE-2025-25015 and further documented under ESA-2025-06.
Vulnerability Type
CWE-1321: Prototype Pollution
The flaw is categorized under Improperly Controlled Modification of Object Prototype Attributes, commonly known as Prototype Pollution which allow attackers to manipulate an application’s JavaScript objects and properties, potentially enabling unauthorized data access, privilege escalation, denial of service, or even remote code execution.
CVSS Score
Base Score: 9.9 (Critical)
Attack Vector: Network (AV:N) – The attack can be carried out remotely over a network (e.g. via HTTP requests to Kibana)
Attack Complexity: Low (AC:L) – No special conditions or bypasses are required; the exploit is straightforward once access is obtained
Privileges Required: Low (PR:L) – The attacker needs at most a low-privileged Kibana account (such as a Viewer role) to exploit the flaw
User Interaction: None (UI:N) – No user assistance or interaction is needed during the attack
Scope: Changed (S:C) – A successful exploit can break out of the Kibana application scope, potentially impacting the underlying host or connected systems
Impact on Confidentiality/Integrity/Availability: High (C:H/I:H/A:H) – Exploitation can lead to complete compromise of data and systems: the attacker can view sensitive data, modify or destroy data, and disrupt services
Impacted Versions
Kibana versions >= 8.15.0 and < 8.17.3
Mitigation Steps
The current recommended remediation is to upgrade to version 8.17.3. Software upgrades may take time to implement. In the interim, organizations can protect themselves by modifying the Kibana configuration file to include the following configuration:
💡xpack.integration_assistant.enabled: false
In most scenarios, this configuration change will not impact users or current server function unless the feature is being actively used for the import of previously unmapped data schemas through the “Automatic Import” UI, using the AI-driven data integration features, or are using the Amazon Bedrock Connector in conjunction with Elastic’s built-in AI functionality.
Exploit Process
The vulnerability, known as prototype pollution, is invoked through a maliciously crafted file upload and specifically crafted HTTP requests that allow for arbitrary command execution. The exploitation path following would likely include developing persistence and a means of maintaining a connection that does not depend upon Kibana for further attacks. Affected versions and their details are highlighted below with a notable disclosure from Kibana that self-managed Kibana instances on Basic or Platinum licenses are not affected by this vulnerability:
| Versions | Details |
|---|---|
| Kibana 8.15.0 – 8.17.0 | Any user with the Viewer role can trigger the exploit. |
| Kibana 8.17.1 – 8.17.2: | Exploitation is restricted to higher-privileged roles. An attacker’s Kibana role must include ALL of the following privileges:actions:execute-advanced-connectorsfleet-allintegrations-all |
At the time of writing, there is no evidence of a public Proof-of-Concept available nor is there any evidence of mass exploitation.
What to watch out for:
- Examine existing access controls to limit exposure to trusted personnel only, which will limit exposure to that of an insider threat
- Monitor for suspicious HTTP requests , API calls or unexpected file uploads to the environment
- Examine Kibana logs for anomalous activity and alerts
Centripetal’s Perspective
While Kibana has traditionally been considered a safe and secure platform, organizations have been deploying the software more frequently to structure data prior to ingestion into their current SIEM architecture. The increased usage has resulted in more focus from the broader security industry as a whole. CVE-2025-25015 is the fourth critical vulnerability in Kibana since August 2024 (CVE-2024-37287, CVE-2024-37288, and CVE-2024-37285).
Given the severity of the vulnerability immediate patching of affected versions of the service is advised and mitigation strategies put in place to reduce the risk posed. Due to the timeliness of the notification from Kibana and their available patch and mitigation, proper remediation efforts can be employed, to ensure organizations are able to safely protect themselves.
Users with a publicly accessible Kibana instance behind the CleanINTERNET® service will continue to receive the protections provided by emerging threat intelligence related to threat actors who may attempt to exploit this vulnerability. However, if you are a current client of Kibana and have additional questions on this advisory, please contact support@centripetal.ai.
Centripetal is also pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.
Resources
- https://thehackernews.com/2025/03/elastic-releases-urgent-fix-for.html?m=1
- https://discuss.elastic.co/t/kibana-8-17-3-security-update-esa-2025-06/375441
- https://learn.snyk.io/lesson/prototype-pollution/
- https://www.imperva.com/learn/application-security/prototype-pollution/
- https://socradar.io/kibana-cve-2025-25012-system-code-execution/
- https://www.tenable.com/cve/CVE-2025-25012
- https://feedly.com/cve/CVE-2025-25015
- https://www.elastic.co/guide/en/kibana/current/settings.html
