Kibana CVE-2025-25009: Brief Summary of Stored XSS via Case File Upload

This post provides a brief summary of CVE-2025-25009, a high-severity stored XSS vulnerability in Kibana's case file upload feature. We cover affected versions, technical details, patch information, and vendor security history based on available sources.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-07

Kibana CVE-2025-25009: Brief Summary of Stored XSS via Case File Upload
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Malicious file uploads in Kibana's case management can silently compromise user sessions and expose sensitive operational data. Organizations using Kibana for security analytics and incident response are at risk if they have not addressed a recently disclosed stored XSS vulnerability.

About Kibana and Elastic: Kibana is the primary visualization and analytics interface for Elasticsearch, part of the Elastic Stack. Elastic is a leading provider of search and analytics solutions, with millions of users worldwide and a strong presence in enterprise observability, security, and data analysis. Kibana is a critical tool for security operations centers, IT monitoring, and business analytics.

Technical Information

CVE-2025-25009 is a stored cross-site scripting vulnerability in Kibana's case file upload functionality. The vulnerability arises from improper neutralization of user-supplied input during web page generation (CWE-79). An authenticated user with file upload privileges can upload a file containing malicious JavaScript. When another user views the affected case in Kibana, the script executes in their browser context.

This can lead to:

  • Session hijacking (by stealing session cookies)
  • Data theft (exfiltrating information visible in the Kibana UI)
  • Privilege escalation (if the victim has higher privileges)

The root cause is insufficient input validation and output encoding in the case file upload and rendering logic. The flaw is present in the code responsible for handling and displaying uploaded case files. No public code snippets are available for this vulnerability. Exploitation requires authenticated access with file upload permissions.

Patch Information

To address CVE-2025-25009, Elastic released patches in the following versions:

  • 8.18.8
  • 8.19.5
  • 9.0.8
  • 9.1.5

These updates enhance input validation and output encoding for case file uploads, ensuring that user-supplied content is properly sanitized before being rendered in the browser. Organizations should upgrade to the relevant fixed version as soon as possible.

For Kibana 7.12 through 8.19.0, a temporary workaround is to enable the advanced setting discover:searchFieldsFromSource: true. No workarounds are available for 9.0 and later; immediate patching is required.

Patch sources:

Affected Systems and Versions

The following Kibana versions are affected by CVE-2025-25009:

  • 7.x up to and including 7.17.29
  • 8.0.0 through 8.18.7
  • 8.19.0 through 8.19.4
  • 9.0.0 through 9.0.7
  • 9.1.0 through 9.1.4

All configurations where users have file upload privileges in case management are vulnerable.

Vendor Security History

Kibana and Elastic have a documented history of XSS and related vulnerabilities. Notable examples include:

  • CVE-2019-7609: Arbitrary code execution in Timelion visualizer (CVSS 10.0)
  • CVE-2022-23713: XSS in Vega Charts integration
  • CVE-2018-3820, CVE-2018-3821, CVE-2017-8440: Various XSS issues in visualization components

Elastic typically responds quickly to reported vulnerabilities, issuing patches and advisories across supported version branches. Their security advisories provide detailed technical and mitigation information.

References

Detect & fix
what others miss