Kibana docker images security

I’m running several ES clusters and my Kibana containers are getting flagged for CVE-2025-7783 due to the presence of form-data library. I’ve checked the most recent 8.18.4 and 9.0.4 docker images and they both contain vulnerable versions of this (form-data <4.0.4). I’ve tried running os patching in the containers but this doesn’t sort it and npm isn’t installed. I checked the security announcements pages but didn’t see anything referencing this vulnerability.

Questions:

1. Are there plans to address this in official images (preferably back-ported to 8.18.0/9.0.0 at least)?

2. Is there an easy way to mitigate by running a few commands in a dockerfile? I’m not familiar with node packages and how to update them.

EDIT: As I poke around I suspect this may be due to an older version of axios in play with a dependency on form-data rather than form-data directly

You need to contact elastic through the email security@elastic.co.

You cannot update the node used by Kibana without possible breaking it, this updated needs to be done by Elastic.

Thanks, I’ll do that now. I’d hoped someone would have already called it out as it has been around for a little while now.

Circling back for anyone else who might stumble across this, this actually is in a KB article, and now I know where to look next time:

Thank you for following up with a link to the KB. Greatly appreciated!