Elastic updated security updates to address a critical security deficiency affecting Fran Software for data visualization Elasticalch This can lead to an arbitrary code.
Vulnerability tracked as Cve-2025-25012It carries the CVSS 9.9 with a maximum of 10.0. This was described as a case of pollution of the prototype.
“Prototype pollution in Kiban leads to an arbitrary code through a downloaded file download and specially designed HTTP requests,” the company – Note in a consultation released on Wednesday.
Vulnerability of pollution prototype It is a Lack of security This allows the attackers to manipulate the objects and properties of the JavaScript application, which potentially leads to unauthorized access to data, escalation of privileges, refusal of services or remote code.
The vulnerability affects all versions of Kibana between 8.15.0 and 8.17.3. It was considered in the version 8.17.3.
Given this, in Kibana versions from 8.15.0 and up to 8.17.1, vulnerability is only used by users with the role of the viewer. In Kibana 8.17.1 and 8.17.2, it can only be used by users who have all the privileges below –
- fleet
- Integration-all
- Actions: Fulfillment because of the connection
Users are advised to take action to use the latest fixes to maintain potential threats. In case Immediate fix is not an option, the user is advised to install the Flag for Integration on FALSE (“xpack.integration_assistant.enabled: FALSE” The kibon’s configuration (“Kibana.yml”).
In August 2024, the elastic examined another critical lack of pollution of the prototype in Kiban (Cve-2024-37287CVSS assessment: 9.9), which can lead to code. A month later he decided Two heavy desserization (Cve-2014-37288, CVSS assessment: 9.9 and Cve-2024-37285, CVSS assessment: 9.1), which can also allow the execution of arbitrary code.
