CVE-2025-25014: 
Kibana vulnerability analysis and mitigation

A critical Prototype pollution vulnerability has been discovered in Kibana, tracked as CVE-2025-25014. The vulnerability affects Kibana versions 8.3.0 to 8.17.5, 8.18.0, and 9.0.0, impacting both self-hosted and Elastic Cloud deployments with Machine Learning and Reporting features enabled. The vulnerability was disclosed on May 6, 2025 (Elastic Discussion).

The vulnerability is classified as a Prototype pollution issue (CWE-1321) that can lead to arbitrary code execution through specially crafted HTTP requests targeting Kibana's Machine Learning and Reporting endpoints. The severity is rated as Critical with a CVSS v3.1 score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) (SecurityOnline, Elastic Discussion).

The vulnerability allows attackers to execute arbitrary code through prototype pollution, potentially compromising the security of monitoring environments that handle sensitive telemetry and analytics data (SecurityOnline).

Elastic has released patched versions 8.17.6, 8.18.1, and 9.0.1 to address this vulnerability. For users unable to upgrade immediately, two alternative mitigation paths are available: 1) Disable Machine Learning by adding xpack.ml.enabled: false to elasticsearch.yml or xpack.ml.ad.enabled: false to kibana.yml, or 2) Disable Reporting by adding xpack.reporting.enabled: false to kibana.yml. Disabling either feature is sufficient to mitigate the vulnerability (Elastic Discussion).