Authenticated code execution via prototype pollution in Kibana

1) Prototype pollution

EUVDB-ID: #VU108739

Risk: Low

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2025-25014

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

Exploit availability: Yes

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation within the machine learning and reporting endpoints. A remote privileged user can send a specially crafted HTTP request to the application, perform prototype pollution and execute arbitrary code in the context of Kibana.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Kibana: 8.3.0 - 9.0.0

CPE2.3

• cpe:2.3:a:elastic_stack:kibana:8.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:kibana:8.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:kibana:8.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:kibana:8.3.3:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:kibana:8.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:kibana:8.4.1:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:kibana:8.4.2:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:kibana:8.4.3:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:kibana:8.5.0:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:kibana:8.5.1:*:*:*:*:*:*:*

External links

https://discuss.elastic.co/t/kibana-8-17-6-8-18-1-or-9-0-1-security-update-esa-2025-07/377868

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.