#VU105351 Prototype pollution in Kibana - CVE-2025-25015
Published: March 5, 2025 / Updated: June 24, 2025
Vulnerability identifier: #VU105351
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-25015
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Kibana
Kibana
Software vendor:
Elastic Stack
Elastic Stack
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation when handling specially crafted HTTP requests with file upload. A remote user can upload a specially crafted file, perform prototype pollution and execute arbitrary code on the system.
Successful exploitation of the vulnerability requires Viewer role for Kibana from version 8.15.0 until 8.17.1, for versions 8.17.1 and 8.17.2 this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors.
Remediation
Install updates from vendor's website.