CVE-2025-68387

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-68387

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68387.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-68387

Aliases

Published

2025-12-18T23:15:49.300Z

Modified

2025-12-25T03:46:05.715913Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.

References

https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-35/384183

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type: GIT
Repo: https://github.com/elastic/elasticsearch
Events: Introduced

1b6a7ece17463df5ff54a3e1302d825889aa1161

Fixed

f60dd5fdef48c4b6cf97721154cd49b3b4794fb0

Database specific

vanir_signatures

[
    {
        "digest": {
            "length": 305.0,
            "function_hash": "229166255045301346585622455642873789853"
        },
        "id": "CVE-2025-68387-03e305b5",
        "source": "https://github.com/elastic/elasticsearch/commit/f60dd5fdef48c4b6cf97721154cd49b3b4794fb0",
        "signature_type": "Function",
        "target": {
            "file": "x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java",
            "function": "validateIndexNameExpression"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "22799343236770748403298540225288566789",
                "148306469380463964857590464523617086489",
                "112708772737749378359171394647526694800",
                "54738819031625359442437444026504288464",
                "215408533376176740699445489020547479671"
            ]
        },
        "id": "CVE-2025-68387-74b79f8c",
        "source": "https://github.com/elastic/elasticsearch/commit/f60dd5fdef48c4b6cf97721154cd49b3b4794fb0",
        "signature_type": "Line",
        "target": {
            "file": "x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "35308104646925593422797425754370691903",
                "305064702061835088979702429131580923084",
                "85843254806226700035260888561335619158",
                "60079007924553349940581118979270624908",
                "188733035935134607917526267132093491593",
                "134130522338909018824882908608939301094"
            ]
        },
        "id": "CVE-2025-68387-e904b954",
        "source": "https://github.com/elastic/elasticsearch/commit/f60dd5fdef48c4b6cf97721154cd49b3b4794fb0",
        "signature_type": "Line",
        "target": {
            "file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidatorTests.java"
        },
        "signature_version": "v1",
        "deprecated": false
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68387.json"

Git / github.com/elastic/kibana

Affected ranges

Type: GIT
Repo: https://github.com/elastic/kibana
Events: Introduced

57ca5e139a33dd2eed927ce98d8231a1f217cd15

Fixed

42f1c10f1e8aa480aaf63cdd403d2f3a3eb42cd3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68387.json"