Elastic has issued a critical security advisory for Kibana, warning users of a high-severity vulnerability that could allow attackers to execute arbitrary code via prototype pollution. The issue, tracked as CVE-2025-25014, carries a CVSS v3.1 score of 9.1, indicating a critical risk to affected systems.
The vulnerability, disclosed under Elastic Security Advisory ESA-2025-07, impacts Kibana versions 8.3.0 through 8.17.5, as well as 8.18.0 and 9.0.0. It is present in both self-hosted and Elastic Cloud deployments where Machine Learning and Reporting features are simultaneously enabled.
According to Elastic, specially crafted HTTP requests to Kibana’s machine learning and reporting endpoints can exploit the prototype pollution flaw, potentially leading to arbitrary code execution on the host system.
Mitigation of CVE-2025-25014
Elastic urges all users to immediately upgrade to one of the patched versions:
- 8.17.6
- 8.18.1
- 9.0.1
For users unable to upgrade, Elastic advises disabling either Machine Learning or Reporting to mitigate the risk.
To Disable Machine Learning
- Add `
xpack.ml.enabled: false` to the `kibana.yml` configuration file. - For self-hosted users wanting more granular control, anomaly detection can be disabled independently using `
xpack.ml.ad.enabled: false`.
To Disable Reporting
Add `xpack.reporting.enabled: false` to the `kibana.yml` configuration file.
As of now, there is no evidence of active exploitation by threat actors, but if proof-of-concept code or exploit scripts surface publicly, the vulnerability could be weaponized quickly and exploited in the wild.
Source: hxxps[://]discuss[.]elastic[.]co/t/kibana-8-17-6-8-18-1-or-9-0-1-security-update-esa-2025-07/377868
Follow Cybersecurity88 on X and Linkedin for the latest cybersecurity news
