Elastic has released an urgent security update to fix a critical vulnerability in Kibana, the popular data visualization dashboard for Elasticsearch. The flaw, tracked as CVE-2025-25012, has been rated 9.9 out of 10 on the CVSS severity scale, making it a major security risk for organizations using Kibana.
The Vulnerability
The vulnerability is caused by prototype pollution, a type of JavaScript security flaw that allows attackers to manipulate application properties. This can lead to unauthorized access, privilege escalation, denial-of-service (DoS), or even remote code execution (RCE).
According to Elastic’s security advisory, attackers can exploit this flaw by uploading a specially crafted file and sending malicious HTTP requests. If successful, they can execute arbitrary code on the system, potentially gaining control over Kibana instances.
Affected Versions
The vulnerability impacts Kibana versions 8.15.0 to 8.17.3. Elastic has patched the issue in version 8.17.3, and users are strongly advised to upgrade immediately.
In Kibana 8.15.0 to 8.17.1, only users with the Viewer role can exploit the flaw.
In Kibana 8.17.1 and 8.17.2, exploitation requires the following privileges:
fleet-all
integrations-all
actions:execute-advanced-connectors
Mitigation
To protect against potential attacks, Elastic recommends applying the latest security updates as soon as possible. If immediate patching is not an option, users should modify Kibana’s configuration file (kibana.yml) to disable the Integration Assistant feature using the following setting:
xpack.integration_assistant.enabled: falseThis temporary workaround helps mitigate the risk until a full update can be implemented.
Previous Security Issues
This is not the first time Kibana has faced prototype pollution vulnerabilities. In August 2024, Elastic fixed a similar critical flaw (CVE-2024-37287, CVSS score: 9.9) that could lead to remote code execution. A month later, the company patched two additional severe deserialization vulnerabilities:
CVE-2024-37288 (CVSS score: 9.9)
CVE-2024-37285 (CVSS score: 9.1)
Both of these flaws also had the potential to allow arbitrary code execution, raising concerns about ongoing security challenges within Kibana’s architecture.
Why This Update Matters
With a high severity score and the potential for remote exploitation, this latest vulnerability poses a significant risk to businesses using Elasticsearch. Threat actors targeting unpatched systems could compromise sensitive data, disrupt services, or execute malicious payloads within affected environments.
Organizations relying on Kibana should prioritize upgrading to version 8.17.3 or later to ensure their systems remain secure. Security teams must also stay vigilant about future updates and vulnerabilities, as attackers continuously seek new ways to exploit weaknesses in widely used software.
Conclusion
Elastic’s swift action in patching this critical issue highlights the importance of regular software updates and proactive security measures. Organizations using Kibana should act quickly to implement the fix and review their security policies to mitigate potential risks from similar vulnerabilities in the future.
For the latest updates on Kibana security, visit Elastic’s official security advisory page.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Critical VMware Vulnerabilities: CISA Mandates Immediate Patching