New Kibana Vulnerabilities Allow Attackers to Embed Malicious Scripts
Elastic has recently released critical security updates to address a severe cross-site scripting (XSS) vulnerability that affects multiple versions of Kibana, a popular data visualization tool.
The vulnerability, identified as CVE-2025-68385, enables authenticated attackers to inject malicious scripts into web pages served to other users, potentially compromising sensitive data or session information.
Vulnerability Details
The flaw is attributed to improper input neutralization during web page generation, specifically within Kibana’s Vega visualization component, allowing attackers to bypass previous security measures designed to prevent XSS attacks.
When a malicious script is embedded in content, it gets executed in the browsers of users viewing that content, which can lead to unauthorized access to sensitive data or session information.
This vulnerability is classified as CWE-79 (Cross-site Scripting) and affects the entire Vega method implementation, making it a high-risk issue that requires immediate attention.
Although the attack requires the attacker to be authenticated, the impact is severe as it can spread across multiple users accessing the same Kibana instance, emphasizing the need for prompt remediation.
The vulnerability affects a wide range of Kibana versions, including all versions of the 7.x branch, as well as specific versions in the 8.x and 9.x series, highlighting the importance of verifying the version of Kibana in use.
In the 8.x series, versions from 8.0.0 through 8.19.8 are vulnerable, while the 9.x branch has two affected ranges: 9.0.0 through 9.1.8 and 9.2.0 through 9.2.2, making it essential to check the version of Kibana and apply the necessary patches.
Elastic has assigned a CVSSv3.1 score of 7.2 (High) to this vulnerability, reflecting the severity of the issue, which can be exploited remotely with low complexity and without requiring user interaction beyond initial authentication.
The vulnerability can compromise the confidentiality and integrity of data across multiple systems, emphasizing the need for swift action to mitigate the risk.
Elastic has released patched versions to address this issue, and organizations must upgrade to Kibana 8.19.9, 9.1.9, or 9.2.3 immediately to ensure the security of their systems.
These versions include the necessary fixes to properly neutralize malicious input in Vega visualizations and restore the integrity of XSS protections, providing a secure environment for users.
Security teams should prioritize patching Kibana deployments as soon as possible and review their Kibana instances for any suspicious visualizations or content created by authenticated users to minimize the risk of exploitation.
Implementing network segmentation and limiting Kibana access to trusted users can provide additional protection while upgrades are being prepared, helping to prevent potential attacks.