A severe security flaw has been discovered in Kibana, the widely used data visualization and analytics platform from Elastic, putting thousands of organizations at risk of remote code execution.
The vulnerability, tracked as CVE-2025-25014 and rated with a critical CVSSv3.1 score of 9.1, allows attackers to execute arbitrary code on affected systems by exploiting a prototype pollution weakness through crafted HTTP requests.
Technical Details: Prototype Pollution and Arbitrary Code Execution
Prototype pollution is a type of vulnerability that targets JavaScript applications by manipulating the prototype of built-in objects.
Attackers can inject malicious properties into the global object prototype, potentially altering application logic and enabling unexpected behaviors.
In Kibana, this flaw can be abused to escalate privileges and execute arbitrary code remotely, especially in a dangerous scenario for environments that handle sensitive telemetry and analytics data.
The vulnerability is triggered via specially crafted HTTP requests sent to Kibana’s Machine Learning and Reporting endpoints.
If both features are enabled, an attacker with sufficient access privileges can compromise the integrity, confidentiality, and availability of the system.
Affected Versions and Configurations
The vulnerability impacts the following Kibana versions:
- 8.3.0 to 8.17.5
- 8.18.0
- 9.0.0
Both self-hosted and Elastic Cloud deployments are vulnerable if both the Machine Learning and Reporting features are enabled.
CVE and Severity
- CVE ID: CVE-2025-25014
- Severity: Critical (CVSSv3.1: 9.1)
- Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Mitigation and Remediation Steps
Elastic strongly urges all Kibana users to upgrade to a fixed version as soon as possible:
- 8.17.6
- 8.18.1
- 9.0.1
For users unable to upgrade immediately, Elastic recommends disabling either the Machine Learning or Reporting feature to block exploitation paths:
To Disable Machine Learning:
Add the following line to your kibana.yml configuration file:
textxpack.ml.enabled: false
Alternatively, to disable only the anomaly detection sub-feature (for self-hosted deployments):
textxpack.ml.ad.enabled: false
To Disable Reporting:
Add the following line to your kibana.yml:
textxpack.reporting.enabled: false
Disabling either feature is sufficient to mitigate the vulnerability in the short term.
Security Community Response
Elastic has published official advisories and strongly emphasizes the urgency of patching or mitigating this issue, given the risk of remote code execution and the criticality of affected environments.
Security researchers warn that exploitation could lead to full system compromise, data breaches, and disruption of business operations.
Organizations running Kibana versions 8.3.0 through 9.0.0 with both Machine Learning and Reporting enabled should consider themselves at high risk.
Immediate action-either by upgrading to a patched release or disabling vulnerable features essential to protect against potential attacks leveraging this critical prototype pollution flaw.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The vulnerability, tracked as CVE-2025-25014 and rated with a critical CVSSv3.1 score of 9.1, allows attackers to execute arbitrary code){kind=link}