CVE-2025-25014

CRITICAL

Kibana - Code Injection

Title source: llm

Description

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.

Exploits (1)

nomisec SCANNER 1 stars

by davidxbors · poc

https://github.com/davidxbors/CVE-2025-25014

View Code ZIP pw:eip

References (1)

[Patch, Vendor Advisory] https://discuss.elastic.co/t/kibana-8-17-6-8-18-1-or-9-0-1-security-update-esa-2025-07/377868

Scores

CVSS v3 9.1

EPSS 0.0254

EPSS Percentile 85.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-1321

Status published

Products (3)

elastic/kibana 8.18.0

elastic/kibana 9.0.0

elastic/kibana 8.3.0 - 8.17.6

Published May 06, 2025

Tracked Since Feb 18, 2026