Kibana 7.17.29, 8.17.8, 8.18.3, 9.0.3 Security Update (ESA-2025-09)

Kibana Heap Corruption via Crafted HTML Page due to Chromium Type Confusion (ESA-2025-09)

On March 10, 2025, Google announced CVE-2025-2135, which can lead to heap corruption via a crafted HTML page through a Type Confusion vulnerability.

Affected Versions:
Kibana versions up to and including 7.17.28, 8.0.0 up to and including 8.17.7, 8.18.0 up to and including 8.18.2, and 9.0.0 up to and including 9.0.2

Affected Configurations:
Self-hosted and Elastic Cloud Kibana instances where PDF or PNG reporting is used. CSV reporting is not impacted. Serverless projects are not impacted.

Solutions and Mitigations:
Users should upgrade to version 7.17.29, 8.17.8, or 8.18.3, or 9.0.3.

For Users that Cannot Upgrade:

Self-hosted

1. Disable Reporting:
   The Reporting feature can be disabled by adding xpack.reporting.enabled: false to the kibana.yml file.

OR

2. Limit access to users who can generate PDF/PNG reports to trusted accounts:
   1. 8.x: https://www.elastic.co/guide/en/kibana/8.18/reporting-settings-kb.html#reporting-advanced-settings
   2. 9.x: https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access

OR

3. Configure reporting with a restrictive network policy, to prevent unauthorized redirection to an attacker-controlled site:
   If a network policy is configured.
   Note: if a network policy is configured, then you must include a rule which allows Chromium to connect to Kibana for report generation to succeed. Typically, Chromium will connect to Kibana on a local interface, but may be different based on the environment and your specific headless browser connection settings.

# kibana.yml
xpack.screenshotting.networkPolicy:
  rules: [ { allow: true, host: "localhost:5601" } ]

Cloud
On Elastic Cloud the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. With these counter-measures the risk is reduced.

Users who cannot upgrade can choose to take a precautionary measure by

1. Disabling the Reporting feature for Elastic Cloud deployments. This can be achieved by modifying the Kibana user settings to include the following configuration:

• xpack.reporting.enabled: false

• Instructions for editing Kibana user settings on Elastic Cloud are available at https://www.elastic.co/docs/deploy-manage/deploy/elastic-cloud/edit-stack-settings#kibana-settings

OR

2. Limit access to users who can generate PDF/PNG reports to trusted accounts:
   a. 8.x: https://www.elastic.co/guide/en/kibana/8.18/reporting-settings-kb.html#reporting-advanced-settings
   b. 9.x: https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access

Severity: CVSSv3.1: 9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2025-2135