Kibana Heap Corruption via Crafted HTML Page due to Chromium Type Confusion (ESA-2025-09)
On March 10, 2025, Google announced CVE-2025-2135, which can lead to heap corruption via a crafted HTML page through a Type Confusion vulnerability.
Affected Versions:
Kibana versions up to and including 7.17.28, 8.0.0 up to and including 8.17.7, 8.18.0 up to and including 8.18.2, and 9.0.0 up to and including 9.0.2
Affected Configurations:
Self-hosted and Elastic Cloud Kibana instances where PDF or PNG reporting is used. CSV reporting is not impacted. Serverless projects are not impacted.
Solutions and Mitigations:
Users should upgrade to version 7.17.29, 8.17.8, or 8.18.3, or 9.0.3.
For Users that Cannot Upgrade:
Self-hosted
- Disable Reporting:
The Reporting feature can be disabled by addingxpack.reporting.enabled: false
to thekibana.yml
file.
OR
- Limit access to users who can generate PDF/PNG reports to trusted accounts:
OR
- Configure reporting with a restrictive network policy, to prevent unauthorized redirection to an attacker-controlled site:
If a network policy is configured.
Note: if a network policy is configured, then you must include a rule which allows Chromium to connect to Kibana for report generation to succeed. Typically, Chromium will connect to Kibana on a local interface, but may be different based on the environment and your specific headless browser connection settings.
# kibana.yml
xpack.screenshotting.networkPolicy:
rules: [ { allow: true, host: "localhost:5601" } ]
Cloud
On Elastic Cloud the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf
and AppArmor
profiles. With these counter-measures the risk is reduced.
Users who cannot upgrade can choose to take a precautionary measure by
- Disabling the Reporting feature for Elastic Cloud deployments. This can be achieved by modifying the Kibana user settings to include the following configuration:
-
xpack.reporting.enabled: false
-
Instructions for editing Kibana user settings on Elastic Cloud are available at https://www.elastic.co/docs/deploy-manage/deploy/elastic-cloud/edit-stack-settings#kibana-settings
OR
- Limit access to users who can generate PDF/PNG reports to trusted accounts:
a. 8.x: https://www.elastic.co/guide/en/kibana/8.18/reporting-settings-kb.html#reporting-advanced-settings
b. 9.x: https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access
Severity: CVSSv3.1: 9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2025-2135