Elastic has disclosed a severe security flaw in Kibana, tracked as CVE-2025-2135 with a critical CVSS score of 9.9, enabling attackers to trigger heap corruption and potentially execute remote code through malicious HTML pages.
The vulnerability stems from a Chromium-based type confusion flaw (CVE-2025-2135) within Kibana’s reporting engine, where specially crafted HTML can exploit memory corruption during PDF/PNG report generation.
This vulnerability specifically impacts the V8 JavaScript engine in Chromium versions before 134.0.6998.88.
Affected Systems and Mitigation Requirements
- Impacted Kibana versions:
7.17.28 and earlier, 8.0.0–8.17.7, 8.18.0–8.18.2, and 9.0.0–9.0.2. - Vulnerable configurations:
Self-hosted or Elastic Cloud instances with PDF/PNG reporting enabled. CSV reporting and serverless deployments remain unaffected. - Immediate remediation:
Upgrade to patched versions 7.17.29, 8.17.8, 8.18.3, or 9.0.3.
Workarounds for Unpatchable Systems
For environments where upgrades aren’t feasible, implement these configurations in kibana.yml:
text# Disable reporting entirely
xpack.reporting.enabled: false
Alternative safeguards:
- Restrict report generation privileges to trusted accounts using Kibana’s role-based access controls.
- Enforce strict network policies to block unauthorized Chromium-Kibana connections: text
xpack.screenshotting.networkPolicy: rules: [{ allow: true, host: "localhost:5601" }]This limits communication to the local Kibana instance.
Technical Mechanism and Exploit Potential
The vulnerability exploits type confusion in Chromium’s V8 engine, allowing attackers to corrupt heap memory via malicious HTML objects.
Successful exploitation could enable:
- Remote code execution on compromised Kibana servers
- Unauthorized data access or system control
- Service disruption through memory corruption.
Elastic Cloud deployments benefit from additional containment via seccomp-bpf and AppArmor profiles, which mitigate container escape risks.
However, self-hosted deployments remain highly vulnerable without patching or mitigations.
Administrators should prioritize upgrading affected systems or implementing strict access controls and network policies immediately.
The trivial exploitability of this flaw heightens its threat potential, particularly in environments processing sensitive operational or security data.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=This vulnerability specifically impacts the V8 JavaScript engine in Chromium versions before 134.0.6998.88.){kind=link}