Elastic fixes critical prototype pollution flaw in Kibana
Take action: If you are using Elastic Kibana software, this is a priority item. By their nature, most Kibana instances are by design exposed to the public or to wide number of users, so hackers will quickly find it. Either patch immediately or disable the Integration Assistant feature in the Kibana config.
Learn More
Elastic has released security updates to patch a critical vulnerability in Kibana, the data visualization dashboard software for Elasticsearch.
The flaw is tracked as CVE-2025-25012 (CVSS score 9.9) (later reassigned to CVE-2025-25015) a prototype pollution issue, which enables attackers to manipulate JavaScript objects and properties within the application. According to Elastic's advisory released on Wednesday, this security flaw could lead to "arbitrary code execution via a crafted file upload and specifically crafted HTTP requests."
The vulnerability impacts all Kibana versions from 8.15.0 through 8.17.3, with varying exploitation requirements depending on version:
- For versions 8.15.0 to 8.17.0: Attackers need only Viewer role privileges to exploit the vulnerability
- For versions 8.17.1 and 8.17.2: Exploitation requires users to have all of the following privileges:
- fleet-all
- integrations-all
- actions:execute-advanced-connectors
Elastic has addressed this vulnerability in Kibana version 8.17.3. Users are strongly advised to update to this patched version as soon as possible to protect their systems from potential attacks.
For organizations unable to immediately apply the update, Elastic recommends that users disable the Integration Assistant feature by setting xpack.integration_assistant.enabled: false in the Kibana configuration file (kibana.yml)
