Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (ESA-2025-25)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Kibana can lead to DOM-based XSS due to the use of Vega. The issue on Vega is tracked as CVE-2025-59840
Affected Versions:
All kibana versions before and including 8.19.6
All kibana versions from 9.0.0 up to and including 9.1.6
Kibana version 9.2.0
Affected Configurations:
All Kibana instances where Vega Visualizations are enabled ( default behavior ).
Solutions and Mitigations:
Users should upgrade to version 8.19.7, 9.1.7, 9.2.1.
For Users that Cannot Upgrade:
Self-hosted
For on premise installations, you can set vis_type_vega.enabled: false in kibana.yml file. Note that this will disable all Vega charts in Kibana.
Cloud
For Elastic Cloud services deployments, you can set vis_type_vega.enabled: false in kibana user settings. Note that this will disable all Vega charts in Kibana.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless before the public disclosure.
Severity: CVSSv3.1: 8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
CVE ID: CVE-2025-59840