Kibana released a security advisory to address a critical severity tracked as CVE-2025-25014. Successful exploitation of the prototype pollution vulnerability may lead to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.
Kibana is a data visualization and exploration tool that allows users to create dashboards, reports, and visualizations from various data sources. Kibana processes and stores events in Elasticsearch, then accesses the logs and displays them to the user through visualizations like line graphs, bar graphs, and pie charts.
Affected Versions
The vulnerability affects Kibana versions 8.3.0 to 8.17.5, 8.18.0, and 9.0.0.
Note: Self-hosted and Elastic Cloud deployments with Kibana’s Machine Learning and Reporting features enabled are vulnerable to the flaw.
Mitigation
Users must upgrade to Kibana version 8.17.6, 8.18.1, or 9.0.1 to patch the vulnerability.
Please refer to the Kibana Security Advisory.
Workaround
Users who cannot upgrade should disable either Machine Learning OR Reporting.
- Disable Machine Learning:
The Machine Learning feature can be disabled for self-hosted and Elastic Cloud deployments by adding xpack.ml.enabled: false to the kibana.yml file.
Alternatively, self-hosted users can disable just the anomaly detection feature by adding xpack.ml.ad.enabled: false to the kibana.yml file.
OR
- Disable Reporting:
The Reporting feature can be disabled for self-hosted and Elastic Cloud deployments by adding xpack.reporting.enabled: false to the kibana.yml file.
Qualys Detection
Qualys customers can scan their devices with QID 383184 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://discuss.elastic.co/t/kibana-8-17-6-8-18-1-or-9-0-1-security-update-esa-2025-07/377868
