Prototype Pollution Vulnerability in Kibana by Elastic
CVE-2025-25015

9.9CRITICAL

Key Information:

Vendor
Elastic
Status
Kibana
Vendor
CVE Published:
5 March 2025

Badges

📈 Score: 390📰 News Worthy

What is CVE-2025-25015?

CVE-2025-25015 is a prototype pollution vulnerability found in Kibana, a data visualization and exploration tool designed for use with Elasticsearch. This vulnerability can be exploited to achieve arbitrary code execution through specifically crafted file uploads and HTTP requests. The impact on organizations can be severe, as an attacker could potentially gain unauthorized access to sensitive data, compromise system integrity, or deploy malicious software—all of which can disrupt business operations and lead to significant financial losses.

Technical Details

This vulnerability specifically affects Kibana versions 8.15.0 to 8.17.2, with different exploitability based on user roles. In versions 8.15.0 to 8.17.1, any user with the Viewer role can exploit it. However, in versions 8.17.1 and 8.17.2, the exploit requires users to have more privileged roles that include fleet-all, integrations-all, and actions:execute-advanced-connectors. The nature of the vulnerability stems from prototype pollution, which allows attackers to craft specific requests or payloads that manipulate an application's behavior, leading to unauthorized code execution.

Potential impact of CVE-2025-25015

  1. Unauthorized Access and Control: The vulnerability allows attackers to execute arbitrary code, which can lead to unauthorized access to sensitive data and administrative controls within the Kibana environment.

  2. Data Integrity Compromise: With the ability to manipulate code execution through exploitations, an attacker could potentially alter or delete critical data, damaging the integrity of the information stored in Kibana.

  3. Operational Disruption: By exploiting this vulnerability, an attacker can disrupt normal operations by deploying malicious actions, potentially leading to downtime, which can have substantial financial implications for organizations reliant on Kibana for data analysis and visualization.

Affected Version(s)

Kibana 8.15.0 <= 8.17.2

News Articles

favicon imagebasefortify.eu

CVE-2025-25015

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions &gt;= 8.15.0 and &lt; 8.17.1, this is exploitable by users...

2 weeks ago

References

https://discuss.elastic.co/t/kibana-8-17-3-security-updat...

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • 📰

    First article discovered by basefortify.eu

  • Vulnerability published

  • Vulnerability Reserved

.