CVE-2025-25015
Published: 05 March 2025
Summary
CVE-2025-25015 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Elastic Kibana. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
Prototype pollution in Kibana enables arbitrary code execution when an attacker supplies a crafted file upload followed by specially constructed HTTP requests. The flaw affects Kibana versions 8.15.0 through 8.17.2 and is tracked as CWE-1321; the CVSS 3.1 score is 9.9.
In versions 8.15.0 to 8.17.0, any user holding the Viewer role can trigger the vulnerability. In 8.17.1 and 8.17.2 the attack surface is narrower, requiring a role that possesses the fleet-all, integrations-all, and actions:execute-advanced-connectors privileges. Successful exploitation yields full code execution on the Kibana host.
Elastic’s security advisory recommends immediate upgrade to Kibana 8.17.3 or 8.16.6, which contain the fix. The associated EPSS score remains low (current 0.0100, peak 0.0128) with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6024
Vulnerability details
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1…
more
and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution vulnerability enables RCE on public-facing Kibana server via crafted requests/file upload; directly supports T1190 for exploiting the application and T1068 for escalating from low-priv roles (e.g., Viewer) to full code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly mitigates CVE-2025-25015 by requiring timely application of Kibana security patches (e.g., 8.17.3 or 8.16.6) to eliminate the prototype pollution vulnerability.
Least privilege prevents exploitation by restricting Viewer role or required privileges (fleet-all, integrations-all, actions:execute-advanced-connectors) from performing crafted file uploads and HTTP requests.
Information input validation on file uploads and HTTP requests helps block crafted inputs that trigger prototype pollution leading to arbitrary code execution.