Kibana 7.17.29, 8.17.8, 8.18.3, 9.0.3 Security Update (ESA-2025-09)

Kibana Heap Corruption via Crafted HTML Page due to Chromium Type Confusion (ESA-2025-09)

On March 10, 2025, Google announced CVE-2025-2135, which can lead to heap corruption via a crafted HTML page through a Type Confusion vulnerability.

Affected Versions:
Kibana versions up to and including 7.17.28, 8.0.0 up to and including 8.17.7, 8.18.0 up to and including 8.18.2, and 9.0.0 up to and including 9.0.2

Affected Configurations:
Self-hosted and Elastic Cloud Kibana instances where PDF or PNG reporting is used. CSV reporting is not impacted. Serverless projects are not impacted.

Solutions and Mitigations:
Users should upgrade to version 7.17.29, 8.17.8, or 8.18.3, or 9.0.3.

For Users that Cannot Upgrade:

Self-hosted

  1. Disable Reporting:
    The Reporting feature can be disabled by adding xpack.reporting.enabled: false to the kibana.yml file.

OR

  1. Limit access to users who can generate PDF/PNG reports to trusted accounts:
    1. 8.x: https://www.elastic.co/guide/en/kibana/8.18/reporting-settings-kb.html#reporting-advanced-settings
    2. 9.x: https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access

OR

  1. Configure reporting with a restrictive network policy, to prevent unauthorized redirection to an attacker-controlled site:
    If a network policy is configured.
    Note: if a network policy is configured, then you must include a rule which allows Chromium to connect to Kibana for report generation to succeed. Typically, Chromium will connect to Kibana on a local interface, but may be different based on the environment and your specific headless browser connection settings.
# kibana.yml
xpack.screenshotting.networkPolicy:
  rules: [ { allow: true, host: "localhost:5601" } ]

Cloud
On Elastic Cloud the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. With these counter-measures the risk is reduced.

Users who cannot upgrade can choose to take a precautionary measure by

  1. Disabling the Reporting feature for Elastic Cloud deployments. This can be achieved by modifying the Kibana user settings to include the following configuration:

OR

  1. Limit access to users who can generate PDF/PNG reports to trusted accounts:
    a. 8.x: https://www.elastic.co/guide/en/kibana/8.18/reporting-settings-kb.html#reporting-advanced-settings
    b. 9.x: https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access

Severity: CVSSv3.1: 9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2025-2135