Cyber Resilience

CVE-2025-25014

Critical

Published: 06 May 2025

Published
06 May 2025
Modified
02 October 2025
KEV Added
Patch
2025-07-37
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0254 85.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25014 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Elastic Kibana. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.

Deeper analysis

A Prototype pollution vulnerability tracked as CVE-2025-25014 affects Kibana and permits arbitrary code execution when an attacker sends crafted HTTP requests to the machine learning and reporting endpoints. The flaw is classified under CWE-1321 and carries a CVSS 3.1 score of 9.1, reflecting network attack vector, low attack complexity, high privileges required, and changed scope with full impact on confidentiality, integrity, and availability.

An authenticated attacker with administrative access can exploit the issue over the network to execute arbitrary code on the Kibana host, potentially compromising the entire Elastic Stack deployment and any data it processes.

Elastic's security advisory directs users to upgrade Kibana to versions 8.17.6, 8.18.1, or 9.0.1 to remediate the vulnerability.

The associated EPSS score remains flat at 0.0254 with no observed increase after disclosure.

EU & UK References

Vulnerability details

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: machine learning

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Prototype pollution in Kibana enables arbitrary remote code execution via crafted HTTP requests to machine learning and reporting endpoints, facilitating exploitation of a public-facing application.

Affected Assets

elastic
kibana
8.18.0, 9.0.0 · 8.3.0 — 8.17.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References