CVE-2025-25014
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Description
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.
Analysis
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.
Technical Context
This vulnerability is classified as Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321), which allows attackers to modify object prototypes to inject properties affecting application logic. A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. Affected products include: Elastic Kibana.
Affected Products
Elastic Kibana.
Remediation
A vendor patch is available. Apply the latest security update as soon as possible. Freeze prototypes, validate object keys, avoid recursive merging of untrusted data.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today