Introduction
Malicious file uploads in Kibana's case management can silently compromise user sessions and expose sensitive operational data. Organizations using Kibana for security analytics and incident response are at risk if they have not addressed a recently disclosed stored XSS vulnerability.
About Kibana and Elastic: Kibana is the primary visualization and analytics interface for Elasticsearch, part of the Elastic Stack. Elastic is a leading provider of search and analytics solutions, with millions of users worldwide and a strong presence in enterprise observability, security, and data analysis. Kibana is a critical tool for security operations centers, IT monitoring, and business analytics.
Technical Information
CVE-2025-25009 is a stored cross-site scripting vulnerability in Kibana's case file upload functionality. The vulnerability arises from improper neutralization of user-supplied input during web page generation (CWE-79). An authenticated user with file upload privileges can upload a file containing malicious JavaScript. When another user views the affected case in Kibana, the script executes in their browser context.
This can lead to:
- Session hijacking (by stealing session cookies)
- Data theft (exfiltrating information visible in the Kibana UI)
- Privilege escalation (if the victim has higher privileges)
The root cause is insufficient input validation and output encoding in the case file upload and rendering logic. The flaw is present in the code responsible for handling and displaying uploaded case files. No public code snippets are available for this vulnerability. Exploitation requires authenticated access with file upload permissions.
Patch Information
To address CVE-2025-25009, Elastic released patches in the following versions:
- 8.18.8
- 8.19.5
- 9.0.8
- 9.1.5
These updates enhance input validation and output encoding for case file uploads, ensuring that user-supplied content is properly sanitized before being rendered in the browser. Organizations should upgrade to the relevant fixed version as soon as possible.
For Kibana 7.12 through 8.19.0, a temporary workaround is to enable the advanced setting discover:searchFieldsFromSource: true. No workarounds are available for 9.0 and later; immediate patching is required.
Patch sources:
- https://discuss.elastic.co/t/kibana-8-18-8-8-19-5-9-0-8-9-1-5-security-update-esa-2025-17/382451
- https://discuss.elastic.co/t/kibana-8-18-8-8-19-5-9-0-8-and-9-1-5-security-update-esa-2025-20/382449
Affected Systems and Versions
The following Kibana versions are affected by CVE-2025-25009:
- 7.x up to and including 7.17.29
- 8.0.0 through 8.18.7
- 8.19.0 through 8.19.4
- 9.0.0 through 9.0.7
- 9.1.0 through 9.1.4
All configurations where users have file upload privileges in case management are vulnerable.
Vendor Security History
Kibana and Elastic have a documented history of XSS and related vulnerabilities. Notable examples include:
- CVE-2019-7609: Arbitrary code execution in Timelion visualizer (CVSS 10.0)
- CVE-2022-23713: XSS in Vega Charts integration
- CVE-2018-3820, CVE-2018-3821, CVE-2017-8440: Various XSS issues in visualization components
Elastic typically responds quickly to reported vulnerabilities, issuing patches and advisories across supported version branches. Their security advisories provide detailed technical and mitigation information.
