Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (ESA-2025-34)
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
Affected Versions:
- 7.x: All versions
- 8.x: All versions from 8.0.0 up to and including 8.19.8
- 9.x:
- All versions from 9.0.0 up to and including 9.1.8
- All versions from 9.2.0 up to and including 9.2.2
Solutions and Mitigations:
The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3.
For Users that Cannot Upgrade:
Self-hosted
For on premise installations, you can set vis_type_vega.enabled: false in kibana.yml file. Note that this will disable all Vega charts in Kibana.
Cloud
For Elastic Cloud services deployments, you can set vis_type_vega.enabled: false in kibana user settings. Note that this will disable all Vega charts in Kibana.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless before the public disclosure.
Severity: CVSSv3.1: 7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVE ID: CVE-2025-68385