Product Details
-
Product: Kibana
-
Version: 8.19.9
-
Deployment: Self-managed / Community
-
Build type: Official Elastic Docker / tar distribution
-
Issue category: Third-party dependency vulnerabilities
Identified Vulnerabilities
1. LangChain – Serialization Injection
-
Package:
@langchain/core -
Installed: 0.3.57
-
Fixed in: 0.3.80
-
GHSA: GHSA-r399-636x-v7f6
-
Severity: HIGH
-
Impact: Potential secret extraction via unsafe serialization
2. LangChain (core package)
-
Package:
langchain -
Installed: 0.3.15
-
Fixed in: 0.3.37
-
GHSA: GHSA-r399-636x-v7f6
-
Severity: HIGH
3. expr-eval – Prototype Pollution
-
Package:
expr-eval -
Installed: 2.0.2
-
GHSA: GHSA-8gw3-rxh4-v6jx
-
Severity: HIGH
-
Impact: Prototype pollution via crafted expressions
4. expr-eval – Unsafe function execution
-
Package:
expr-eval -
Installed: 2.0.2
-
GHSA: GHSA-jc85-fpwf-qm7x
-
Severity: HIGH
5. systeminformation – Command Injection (Windows)
-
Package:
systeminformation -
Installed: 5.23.8
-
Fixed in: 5.27.14
-
GHSA: GHSA-wphj-fx3q-84ch
-
Severity: HIGH
6. gpgv – OS package vulnerability
-
Package:
gpgv -
Installed: 2.4.4-2ubuntu17.3
-
Fixed in: 2.4.4-2ubuntu17.4
-
CVE: CVE-2025-68973
-
Severity: HIGH
Questions for Elastic Security Team
-
Are these vulnerabilities considered reachable / exploitable in Kibana 8.19.9?
-
Will these be addressed in the next 8.19.x patch release?
-
Is there an estimated remediation timeline?
-
Are there recommended mitigations until a patch is released?