CVE-2025-25014: 
Kibana vulnerability analysis and mitigation

A critical Prototype pollution vulnerability (CVE-2025-25014) was discovered in Kibana, affecting versions 8.3.0 to 8.17.5, 8.18.0, and 9.0.0, including both self-hosted and Elastic Cloud deployments. The vulnerability was disclosed on May 6, 2025, and specifically impacts installations with Machine Learning and Reporting features enabled (Wiz).

The vulnerability is classified as a Prototype pollution issue (CWE-1321) that enables arbitrary code execution through specially crafted HTTP requests targeting Kibana's Machine Learning and Reporting endpoints. It has been assigned a Critical severity rating with a CVSS v3.1 score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) (Wiz).

The vulnerability allows attackers to execute arbitrary code through prototype pollution, potentially compromising the security of monitoring environments that handle sensitive telemetry and analytics data (Wiz).

Elastic has released patched versions 8.17.6, 8.18.1, and 9.0.1 to address this vulnerability. For users unable to upgrade immediately, two alternative mitigation paths are available: 1) Disable Machine Learning by adding xpack.ml.enabled: false to elasticsearch.yml or xpack.ml.ad.enabled: false to kibana.yml, or 2) Disable Reporting by adding xpack.reporting.enabled: false to kibana.yml. Disabling either feature is sufficient to mitigate the vulnerability (ASEC, Wiz).