Introduction
Stored JavaScript payloads in Kibana's Fleet and Integrations interface can compromise administrative dashboards, enabling attackers to hijack sessions or exfiltrate sensitive monitoring data. This high-severity vulnerability, tracked as CVE-2025-25018, impacts a broad range of Kibana deployments and requires urgent attention from security teams managing Elastic Stack environments.
About Elastic and Kibana: Elastic is a global leader in search, observability, and security solutions. Kibana is the primary visualization and management interface for Elasticsearch, widely used for log analytics, security monitoring, and business intelligence. Elastic's products are deployed by thousands of organizations worldwide, making vulnerabilities in Kibana especially impactful across industries.
Technical Information
CVE-2025-25018 is a stored Cross-Site Scripting (XSS) vulnerability in Kibana's Fleet and Integrations management interface. The flaw is due to improper neutralization of user input during web page generation, specifically in areas where configuration data is stored and later rendered in the browser. Attackers who possess roles with 'All' permissions under Management for Fleet and Integrations can inject malicious JavaScript payloads into configuration fields or other stored data. When other users with access to these interface elements load the affected pages, the injected script executes in their browser context.
This enables several attack scenarios:
- Session hijacking by stealing authentication cookies
- Exfiltration of sensitive dashboard or monitoring data
- Privilege escalation if higher-privileged users access the compromised interface
The vulnerability is persistent: the malicious payload remains stored in the application until it is removed or the system is patched. The root cause is insufficient input validation and output encoding for user-supplied data rendered in dynamic web pages. No public code snippets or proof of concept are available as of this writing. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).
Patch Information
To address the stored Cross-Site Scripting (XSS) vulnerability in Kibana, the development team has released updates in versions 8.18.8, 8.19.5, 9.0.8, and 9.1.5. These updates enhance input validation mechanisms to prevent malicious scripts from being stored and executed within the application.
For users unable to upgrade immediately, it is recommended to restrict roles that include 'All' permissions under Management for Fleet and Integrations, as this configuration is necessary for exploiting the vulnerability.
By implementing these updates or adjusting role permissions, organizations can effectively mitigate the risk associated with this XSS vulnerability.
Patch source: Elastic Security Advisory
Affected Systems and Versions
CVE-2025-25018 affects the following Kibana versions:
- All 7.x versions up to and including 7.17.29
- All 8.x versions up to and including 8.18.7
- 8.19.0 through 8.19.4
- 9.0.0 through 9.0.7
- 9.1.0 through 9.1.4
The vulnerability specifically requires that the attacker have a role with 'All' permissions under Management for Fleet and Integrations. Systems where such privileges are broadly assigned are at higher risk.
Vendor Security History
Elastic has previously addressed multiple XSS vulnerabilities in Kibana, including:
- CVE-2020-7017 (XSS in region map visualization)
- CVE-2020-7015 (stored XSS in TSVB visualization)
- CVE-2025-25009 (stored XSS in case file upload, patched in the same advisory as CVE-2025-25018)
Elastic typically provides timely patches and detailed advisories. The recurrence of XSS issues in Kibana highlights the ongoing complexity of input validation and output encoding in large web applications.
