Prototype Pollution Vulnerability in Kibana by Elastic
CVE-2025-25015
Key Information:
Badges
What is CVE-2025-25015?
CVE-2025-25015 is a prototype pollution vulnerability found in Kibana, a data visualization and exploration tool designed for use with Elasticsearch. This vulnerability can be exploited to achieve arbitrary code execution through specifically crafted file uploads and HTTP requests. The impact on organizations can be severe, as an attacker could potentially gain unauthorized access to sensitive data, compromise system integrity, or deploy malicious software—all of which can disrupt business operations and lead to significant financial losses.
Technical Details
This vulnerability specifically affects Kibana versions 8.15.0 to 8.17.2, with different exploitability based on user roles. In versions 8.15.0 to 8.17.1, any user with the Viewer role can exploit it. However, in versions 8.17.1 and 8.17.2, the exploit requires users to have more privileged roles that include fleet-all, integrations-all, and actions:execute-advanced-connectors. The nature of the vulnerability stems from prototype pollution, which allows attackers to craft specific requests or payloads that manipulate an application's behavior, leading to unauthorized code execution.
Potential impact of CVE-2025-25015
-
Unauthorized Access and Control: The vulnerability allows attackers to execute arbitrary code, which can lead to unauthorized access to sensitive data and administrative controls within the Kibana environment.
-
Data Integrity Compromise: With the ability to manipulate code execution through exploitations, an attacker could potentially alter or delete critical data, damaging the integrity of the information stored in Kibana.
-
Operational Disruption: By exploiting this vulnerability, an attacker can disrupt normal operations by deploying malicious actions, potentially leading to downtime, which can have substantial financial implications for organizations reliant on Kibana for data analysis and visualization.
Affected Version(s)
Kibana 8.15.0 <= 8.17.2
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles

CVE-2025-25015
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users...
1 week ago
References
CVSS V3.1
Timeline
- 📰
First article discovered by basefortify.eu
Vulnerability published
Vulnerability Reserved