What is the CVSS score of CVE-2025-25014?

CVE-2025-25014 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 2.5%.

Which versions of Prototype Pollution are affected by CVE-2025-25014?

CVE-2025-25014 presents critical security risk, a prototype pollution vulnerability rated CVSS 9.1.. A patch is available.

How to fix or mitigate CVE-2025-25014?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

Prototype Pollution CVE-2025-25014

CRITICAL

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)

2025-05-06 security@elastic.co

RCE Elastic Prototype Pollution Kibana

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:40 vuln.today

Patch released

Mar 28, 2026 - 18:40 nvd

Patch available

CVE Published

May 06, 2025 - 18:15 nvd

CRITICAL 9.1

DescriptionNVD

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.

AnalysisAI

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Technical ContextAI

This vulnerability is classified as Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321), which allows attackers to modify object prototypes to inject properties affecting application logic. A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. Affected products include: Elastic Kibana.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Freeze prototypes, validate object keys, avoid recursive merging of untrusted data.

More from same product – last 7 days

CVE-2026-42398 HIGH This Week

7.7 May 28

Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypa

CVE-2026-33464 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a

CVE-2026-42399 MEDIUM This Month

6.5 May 28

Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny acc

CVE-2026-42400 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a

CVE-2026-49094 MEDIUM This Month

6.5 May 28

Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level

CVE-2025-25014 vulnerability details – vuln.today

Back

Prototype Pollution CVE-2025-25014

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code