CVE-2025-25015
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-25015
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25015.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-25015
- Aliases
- Published
- 2025-03-05T10:15:20.160Z
- Modified
- 2025-12-05T08:56:15.186321Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors
- References
Affected packages
Git / github.com/elastic/elasticsearch
Database specific
vanir_signatures
[
{
"target": {
"file": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/toolchain/ArchivedOracleJdkToolchainResolver.java"
},
"id": "CVE-2025-25015-a4f0942e",
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"36255366982402441943365076301650356089",
"145006512619480278887571052439883120125",
"157169414809992097628712548295209386229",
"163221426113429786005159139466844966457"
]
},
"source": "https://github.com/elastic/elasticsearch/commit/2eabb32aee47ed0c4ba71c169f098d0379402efe",
"signature_type": "Line"
}
]