CVE-2025-25014

Published May 6, 2025

Last updated 6 months ago

CVSS critical 9.1
Kibana

Overview

Description
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.
Source
bressers@elastic.co
NVD status
Analyzed
Products
kibana

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

bressers@elastic.co
CWE-1321

Social media

Hype score
Not currently trending

  1. #PenetrationTesting #ArbitraryCodeExecution CVE-2025-25014 (CVSS 9.1): Prototype Pollution in Kibana Opens Door to Code Execution https://t.co/wXui8z3Esy

    @Komodosec

    30 Jun 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Kibana issued a security advisory for CVE-2025-25014, a critical prototype pollution vulnerability that could allow arbitrary code execution via crafted HTTP requests to ML & reporting endpoints. Details on affected versions, mitigation, and detection: https://t.co/FG45WpmTE

    @qualys

    10 May 2025

    524 Impressions

    1 Retweet

    3 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-25014(CVSS 9.1):Kibana原型污染漏洞可导致远程代码执行。 攻击者可通过向Kibana的机器学习(Machine Learning)和报告(Reporting)接口发送特制HTTP请求实现任意代码执行。 https://t.co/P7orAcuk60

    @chenze654321

    9 May 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ⚠️⚠️ CVE-2025-25014 (CVSS 9.1): Prototype Pollution in Kibana Opens Door to Code Execution 🎯229k+ Results are found on the https://t.co/pb16tGYaKe nearly year. 🔗FOFA Link:https://t.co/TDcT06CYfs FOFA Query:app="Kibana" 🔖Refer:https://t.co/WyYkpLcz3u #OSINT #FOFA

    @fofabot

    8 May 2025

    1065 Impressions

    5 Retweets

    15 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  5. Threat Alert: Critical Vulnerability in Kibana Allows Attackers to Execute Arbitrary Code CVE-2025-25014 Severity: ⚠️ Critical Maturity: 🧨 Trending Learn more: https://t.co/Tl9PFZ54XZ #CyberSecurity #ThreatIntel #InfoSec

    @fletch_ai

    8 May 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 📌 Critical CVE-2025-25014 vulnerability in Kibana allows remote code execution. Immediate update required. #CyberSecurity #Kibana https://t.co/ML5kTrsgga https://t.co/BddWrockzf

    @CyberHub_blog

    8 May 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Kibanaに重大な脆弱性、コード実行の恐れ(CVE-2025-25014) #セキュリティ対策Lab #セキュリティ #Security https://t.co/QgMKEm60bs

    @securityLab_jp

    8 May 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨 CVE-2025-25014 ⚠️🔴 CRITICAL (9.1) 🏢 Elastic - Kibana 🏗️ 8.3.0 🔗 https://t.co/LVM5qESpMV #CyberCron #VulnAlert #InfoSec https://t.co/H10fcaySE6

    @cybercronai

    7 May 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. ⚠️Actualizaciones de Kibana ❗CVE-2025-25014 ➡️Más info: https://t.co/D5bdAPdn3t https://t.co/fY8yWAkSbV

    @CERTpy

    7 May 2025

    102 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨 CVE-2025-25014 (CVSS 9.1) frappe Kibana ! Une faille de pollution de prototype permet l'exécution de code arbitraire via des requêtes HTTP ciblant les endpoints ML & Reporting. Mettez à jour vers Kibana dès maintenant ! 🔒 https://t.co/EL5g6i3fGy #CyberSec #Kibana

    @_F2po_

    7 May 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Kibanaに重大(Critical)な脆弱性。CVE-2025-25014はCVSSスコア9.1のプロトタイプ汚染。機械学習・レポート作成エンドポイントへの細工されたHTTPリクエストにより任意コード実行が成立。Elastic Cloudでのデプロイにも影

    @__kokumoto

    7 May 2025

    3674 Impressions

    19 Retweets

    43 Likes

    11 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2025-25014 (CVSS 9.1): Prototype Pollution in Kibana Opens Door to Code Execution https://t.co/q6KCi2CapR

    @Dinosn

    7 May 2025

    2357 Impressions

    4 Retweets

    30 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨Alert🚨 CVE-2025-25014(CVSS 9.1) : Prototype Pollution in Kibana Opens Door to Code Execution 📊412.1K+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/Xdrn76seDZ 👇Query HUNTER : https://t.co/q9rtuGgxk7="Elastic Kibana" FOFA : htt

    @HunterMapping

    7 May 2025

    2718 Impressions

    16 Retweets

    55 Likes

    22 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. CVE-2025-43707
  2. Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges.CVE-2026-26939
  3. Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.CVE-2026-26940
  4. Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.CVE-2026-26938
  5. Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)CVE-2026-26937

References

Sources include official advisories and independent security research.