Elastic has released urgent security updates to address a critical vulnerability in Kibana, their popular data visualization dashboard for Elasticsearch. The flaw, identified as CVE-2025-25012 with a near-maximum CVSS score of 9.9, could allow attackers to execute arbitrary code on affected systems.

The vulnerability stems from prototype pollution, a technique that enables attackers to manipulate JavaScript objects and properties. According to Elastic’s advisory released Wednesday, this could lead to “arbitrary code execution via a crafted file upload and specifically crafted HTTP requests.”

## Affected Versions and Exploitation Requirements

The security issue impacts all Kibana versions from 8.15.0 through 8.17.3, with varying exploitation requirements:

– In versions 8.15.0 to 8.17.0: Exploitable by users with only Viewer role privileges
– In versions 8.17.1 and 8.17.2: Exploitable only by users with specific privilege combinations including fleet-all, integrations-all, and actions:execute-advanced-connectors

## Mitigation Options

Users are strongly advised to:
1. Update to the patched version 8.17.3
2. If immediate patching isn’t possible, disable the Integration Assistant feature by setting `xpack.integration_assistant.enabled: false` in the Kibana configuration file (`kibana.yml`)

This marks the latest in a series of critical vulnerabilities addressed by Elastic in recent months. In August 2024, the company patched another prototype pollution flaw (CVE-2024-37287), followed by two severe deserialization bugs in September (CVE-2024-37288 and CVE-2024-37285), all of which could potentially lead to code execution.