Elastic The security update is rolled out to affect an important safety defect Kibana Data visualization for dashboard software Elasticsearch This can result in arbitrary code execution.
Pulpy, tracked as Cve-2025-25012CVSS of 9.9 out of maximum 10.0 scores. It is described as a case of prototype pollution.
The company said in a advisor issued on Wednesday, “Prototype pollution in Kibana leads to arbitrary code execution through a prepared file upload and especially prepares HTTP requests.”
Prototype pollution vulcity is a safety defect that allows the attackers to manipulate the JavaScript objects and properties of an application, which is leading to potentially unauthorized data access, privilege increase, refusal, or remote code execution.
The vulnerability affects all versions of Kibana between 8.15.0 and 8.17.3. It is addressed in version 8.17.3.
He said, “From 8.15.0 in Kibana versions and before 8.17.1, the vulnerability is only exploited by users with viewers role. 8.17.1 and 8.17.2 in the Kibana versions, it can only be exploited by users who have all the bottom -lined privileges –
- Fleet
- Integration
- Activities: executed-up-connectors
Users are advised to take steps to implement the latest reforms to protect against potential hazards. Immediate patching in the event is not an option, users are recommended to set the insert auxiliary feature flag in the configuration of Kibana (“Kibana.yml”) on the wrong (“xpack.integration_assstant.enable.enabled: False”).
In August 2024, Elastic addressed another important prototype pollution defect in Kibana (CVE-2024–37287, CVSS Score: 9.9), which could lead to code execution. A month later, it solved two serious deserialization bugs (CVE-2024-37288, CVSS score: 9.9 and CVE-2024-37285, CVSS Score: 9.1), which can also allow arbitrary code execution.
