Kibana 8.17.6, 8.18.1, or 9.0.1 Security Update (ESA-2025-07)

Announcements Security Announcements
1

Kibana arbitrary code execution via prototype pollution (ESA-2025-07)
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.

Affected Versions:
8.3.0 to 8.17.5, and 8.18.0, and 9.0.0

Affected Configurations:
Self-hosted and Elastic Cloud deployments with both Kibana’s Machine Learning and Reporting features enabled.

Solutions and Mitigations:
Users should upgrade to version 8.17.6, 8.18.1, or 9.0.1.

For Users that Cannot Upgrade:

Self-hosted

Users with a self-hosted deployment who cannot upgrade should disable either Machine Learning OR Reporting.

  1. Disable Machine Learning:
    The Machine Learning feature can be disabled by adding xpack.ml.enabled: false to the elasticsearch.yml file.
    Alternatively, users can disable just the anomaly detection feature by adding xpack.ml.ad.enabled: false to the kibana.yml file.

OR

  1. Disable Reporting:
    The Reporting feature can be disabled by adding xpack.reporting.enabled: false to the kibana.yml file.

Elastic Cloud

On Elastic Cloud the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. With these counter-measures the risk is reduced.

Users who cannot upgrade can choose to take a further measure by disabling the "Reporting" feature for Elastic Cloud deployments. This can be achieved by modifying the Kibana user settings to include the following configuration:

xpack.reporting.enabled: false

Instructions for editing Kibana user settings on Elastic Cloud are available at https://www.elastic.co/docs/deploy-manage/deploy/elastic-cloud/edit-stack-settings#kibana-settings

Severity: CVSSv3.1: 9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2025-25014

Changes

  • 2025-05-14: Created separate sections for self-hosted and Elastic Cloud under the section "For Users that Cannot Upgrade:". Clarification on what counter-measures are in place for Elastic Cloud hosted deployments and made clear what configuration changes can be achieved based on deployment.

  • 2025-05-08: Previously the document stated that xpack.ml.enabled: false is set in the kibana.yml file however, this should have read elasticsearch.yml. The document has been updated accordingly.

2 Likes