Kibana 8.18.8, 8.19.4, 9.0.7, 9.1.4 Security Update (ESA-2025-16)

Kibana Cross-Site-Scripting (XSS) (ESA-2025-16)

Improper Neutralization of Input During Web Page Generation in Vega visualizations in Kibana can lead to Cross-Site-Scripting (XSS)

Affected Versions:

  • 7.x: All versions from 7.0.0 and up to and including 7.17.29
  • 8.x: All versions from 8.0.0 and up to and including 8.18.7
  • 8.19.x: All versions from 8.19.0 and up to and including 8.19.3
  • 9.0.x: All versions from 9.0.0 and up to and including 9.0.6
  • 9.1.x: All versions from 9.1.0 and up to and including 9.1.3

Affected Configurations:

All Kibana configurations are affected.

Solutions and Mitigations:

Users should upgrade to version 8.18.8 or 8.19.4 or 9.0.7 or 9.1.4.

For Users that Cannot Upgrade:

If you are unable to upgrade, you can select to disable Vega visualizations :

Self-hosted

For on premise installations, you can set vis_type_vega.enabled: false in kibana.yml file. Note that this will disable all Vega charts in Kibana.

Cloud

For Elastic Cloud services deployments, you can reach out to Elastic Support to request that vega visualizations are disabled in your deployments.

Severity: CVSSv3.1: 8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

CVE ID: CVE-2025-25017