Kibana arbitrary code execution via prototype pollution (ESA-2025-06)
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests.
In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors
This issue does not affect self-managed Kibana instances on Basic or Platinum licences.
This issue affects Kibana instances running on Elastic Cloud but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.
Affected Versions:
Kibana versions >= 8.15.0 and < 8.16.6
Kibana versions >= 8.17.0 and < 8.17.3
Solutions and Mitigations:
Users should upgrade to Kibana version 8.16.6 or Kibana version 8.17.3.
For users that cannot upgrade:
Set xpack.integration_assistant.enabled: false in Kibana's configuration.
Severity: CVSSv3.1: 9.9(Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2025-25015
Updates
2025-04-02: Added details about affected versions.
2025-03-07: Added details about applicability.
2025-03-06: Corrected the CVE ID. Previous versions of this page incorrectly referenced CVE-2025-25012.