Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-25015

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors

Published

2025-03-05T10:15:20.160

Last Modified

2025-10-02T17:53:04.750

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.9 (CRITICAL)

Weaknesses

Type: Secondary
CWE-1321

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	elastic	kibana	< 8.16.6	Yes
Application	elastic	kibana	< 8.17.3	Yes

References

https://discuss.elastic.co/t/kibana-8-17-3-8-16-6-security-update-esa-2025-06/375441 Mitigation, Vendor Advisory ([email protected])