Dependency on Vulnerable Third-Party Component in Synthetics Recorder Leading to Remote Code Execution
Dependency on Vulnerable Third-Party Component (CWE-1395) exists in the bundled Chromium browser in Elastic Synthetics Recorder that could allow an attacker to achieve remote code execution on a user's system. Exploitation requires a user to navigate the Synthetics Recorder's built-in browser to a malicious or compromised website, which serves specially crafted, malformed content that triggers known vulnerabilities - CVE-2025-6554 and CVE-2025-7657.
Affected Versions:
All versions before 1.4.14
Solutions and Mitigations:
The issue is resolved in version 1.4.15.
Severity: CVSSv3.1: High ( 7.5 ) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE ID: CVE-2025-6554 and CVE-2025-7657