CVE-2025-25014
Published: 06 May 2025
Summary
CVE-2025-25014 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Elastic Kibana. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
Deeper analysis
A Prototype pollution vulnerability tracked as CVE-2025-25014 affects Kibana and permits arbitrary code execution when an attacker sends crafted HTTP requests to the machine learning and reporting endpoints. The flaw is classified under CWE-1321 and carries a CVSS 3.1 score of 9.1, reflecting network attack vector, low attack complexity, high privileges required, and changed scope with full impact on confidentiality, integrity, and availability.
An authenticated attacker with administrative access can exploit the issue over the network to execute arbitrary code on the Kibana host, potentially compromising the entire Elastic Stack deployment and any data it processes.
Elastic's security advisory directs users to upgrade Kibana to versions 8.17.6, 8.18.1, or 9.0.1 to remediate the vulnerability.
The associated EPSS score remains flat at 0.0254 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13630
Vulnerability details
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: machine learning
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution in Kibana enables arbitrary remote code execution via crafted HTTP requests to machine learning and reporting endpoints, facilitating exploitation of a public-facing application.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.