Kibana 7.17.29, 8.17.8, 8.18.3, 9.0.3 Security Update (ESA-2025-09)

ismisepaul · June 24, 2025, 5:00pm

Kibana Heap Corruption via Crafted HTML Page due to Chromium Type Confusion (ESA-2025-09)

On March 10, 2025, Google announced CVE-2025-2135, which can lead to heap corruption via a crafted HTML page through a Type Confusion vulnerability.

Affected Versions:
Kibana versions up to and including 7.17.28, 8.0.0 up to and including 8.17.7, 8.18.0 up to and including 8.18.2, and 9.0.0 up to and including 9.0.2

Affected Configurations:
Self-hosted and Elastic Cloud Kibana instances where PDF or PNG reporting is used. CSV reporting is not impacted. Serverless projects are not impacted.

Solutions and Mitigations:
Users should upgrade to version 7.17.29, 8.17.8, or 8.18.3, or 9.0.3.

For Users that Cannot Upgrade:

Self-hosted

Disable Reporting:
The Reporting feature can be disabled by adding xpack.reporting.enabled: false to the kibana.yml file.

OR

Limit access to users who can generate PDF/PNG reports to trusted accounts:
1. 8.x: https://www.elastic.co/guide/en/kibana/8.18/reporting-settings-kb.html#reporting-advanced-settings
2. 9.x: https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access

OR

Configure reporting with a restrictive network policy, to prevent unauthorized redirection to an attacker-controlled site:
If a network policy is configured.
Note: if a network policy is configured, then you must include a rule which allows Chromium to connect to Kibana for report generation to succeed. Typically, Chromium will connect to Kibana on a local interface, but may be different based on the environment and your specific headless browser connection settings.

# kibana.yml
xpack.screenshotting.networkPolicy:
  rules: [ { allow: true, host: "localhost:5601" } ]

Cloud
On Elastic Cloud the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. With these counter-measures the risk is reduced.

Users who cannot upgrade can choose to take a precautionary measure by

Disabling the Reporting feature for Elastic Cloud deployments. This can be achieved by modifying the Kibana user settings to include the following configuration:

xpack.reporting.enabled: false
Instructions for editing Kibana user settings on Elastic Cloud are available at https://www.elastic.co/docs/deploy-manage/deploy/elastic-cloud/edit-stack-settings#kibana-settings

OR

Limit access to users who can generate PDF/PNG reports to trusted accounts:
a. 8.x: https://www.elastic.co/guide/en/kibana/8.18/reporting-settings-kb.html#reporting-advanced-settings
b. 9.x: https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access

Severity: CVSSv3.1: 9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2025-2135

Topic	Replies	Views
Kibana 7.17.8 and 8.5.0 Security Update Security Announcements	12428	December 9, 2022
Kibana 8.10.3, 7.17.14 Security Update Security Announcements docker	10790	October 10, 2023
Kibana 7.17.22 / 8.14.0 Security Update (ESA-2024-17) Security Announcements	3935	June 14, 2024
Kibana 8.12.1, 7.17.18 Security Update (ESA-2024-04) Security Announcements docker	9422	February 7, 2024
Kibana 8.17.6, 8.18.1, or 9.0.1 Security Update (ESA-2025-07) Security Announcements	9204	May 6, 2025

Kibana 7.17.29, 8.17.8, 8.18.3, 9.0.3 Security Update (ESA-2025-09)

Related topics