Prototype pollution in Kibana - CVE-2025-25015
Published: March 5, 2025 / Updated: June 24, 2025
Vulnerability identifier: #VU105351
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-25015
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Elastic Stack
Affected software:
Kibana
Kibana
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation when handling specially crafted HTTP requests with file upload. A remote user can upload a specially crafted file, perform prototype pollution and execute arbitrary code on the system.
Successful exploitation of the vulnerability requires Viewer role for Kibana from version 8.15.0 until 8.17.1, for versions 8.17.1 and 8.17.2 this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors.
How to mitigate CVE-2025-25015
Install updates from vendor's website.