CVE-2025-25016

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-25016
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25016.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-25016
Aliases
Published
2025-05-01T14:15:36.930Z
Modified
2025-12-09T17:05:58.382230Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation.

References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type
GIT
Repo
https://github.com/elastic/elasticsearch
Events
Introduced
bee86328705acaa9a6daede7140defd4d9ec56bd
Fixed
92f290e9537478f85ff3fe3ab39945c1a49a6c1a

Affected versions

v7.*

v7.17.0
v7.17.1
v7.17.10
v7.17.11
v7.17.12
v7.17.13
v7.17.14
v7.17.15
v7.17.16
v7.17.17
v7.17.18
v7.17.2
v7.17.3
v7.17.4
v7.17.5
v7.17.6
v7.17.7
v7.17.8
v7.17.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25016.json"

vanir_signatures

[
    {
        "target": {
            "file": "server/src/internalClusterTest/java/org/elasticsearch/snapshots/SnapshotStressTestsIT.java"
        },
        "id": "CVE-2025-25016-03f25105",
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/elastic/elasticsearch/commit/92f290e9537478f85ff3fe3ab39945c1a49a6c1a",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "82047729086430910756604278104193458802",
                "131410135016128987439099169873091096185",
                "307499659489575771444191318791584808901",
                "283573415662965770105778062442554353810",
                "246118581985204571158009790777095832719",
                "11882487284426012650628006900929671532"
            ],
            "threshold": 0.9
        }
    },
    {
        "target": {
            "function": "startCleaner",
            "file": "server/src/internalClusterTest/java/org/elasticsearch/snapshots/SnapshotStressTestsIT.java"
        },
        "id": "CVE-2025-25016-939533c3",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/elastic/elasticsearch/commit/92f290e9537478f85ff3fe3ab39945c1a49a6c1a",
        "signature_version": "v1",
        "digest": {
            "function_hash": "12158914231129088094406129298884796573",
            "length": 1180.0
        }
    }
]

Git / github.com/elastic/kibana

Affected ranges

Type
GIT
Repo
https://github.com/elastic/kibana
Events
Introduced
60a9838d21b6420bbdb5a4d07099111b74c68ceb
Fixed
c9d7ee0739b7d6af7553e326075e81728534ab44

Affected versions

v7.*

v7.17.0
v7.17.1
v7.17.10
v7.17.11
v7.17.12
v7.17.13
v7.17.14
v7.17.15
v7.17.16
v7.17.17
v7.17.18
v7.17.2
v7.17.3
v7.17.4
v7.17.5
v7.17.6
v7.17.7
v7.17.8
v7.17.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25016.json"