As part of the vulnerability assessment (VA) scan on our ELK servers, we identified that the Node.js version is affected by multiple vulnerabilities. We are using a self-managed cluster.
Current Kibana Version: 8.18.0 Path: /usr/share/kibana/node/glibc-217/bin/node Installed Node.js Version: 20.18.2
The reported CVE IDs are:
CVE-2025-23165
CVE-2025-23166
CVE-2025-23167
Our security team has suggested upgrading to an Node.js version greater than 20.19.2 / 22.15.1 / 23.11.1 / 24.0.2 or later.
How to check which Kibana version has which Node.js version?
Suggest if we have to upgrade the Kibana version to have latest Node.js. (This approach isn’t ideal, as it would require manual intervention each time a new VA / version is discovered.)
Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.
We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.
After digging through quite a few articles on upgrading Node.js version in Kibana, I found that there isn't really a straightforward way to do it. Most sources mention that manually upgrading Node.js can cause issues due to internal dependencies within Kibana.
That being said, I came across a helpful GitHub link that lists different Kibana versions. In each version’s package.json file, you can find the required Node.js version under the engines.node field. This makes it easier to see which Node.js version is tied to which Kibana release. (Refer attached screenshot for reference)
So, the best (and safest) way to address Node.js vulnerabilities in Kibana is simply to upgrade Kibana itself to a version that includes a more recent Node.js version.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
