CVE-2025-25015

CRITICAL Year: 2025
CVSS v3 Score
9.9
Critical
Weakness Type
CWE-1321
View all →

Vulnerability Description

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors

Related Vulnerabilities

CVE-2019-0230

CRITICAL
CVSS:9.8(Critical)

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

CWE-13212019

CVE-2019-14379

CRITICAL
CVSS:9.8(Critical)

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leadi...

CWE-13212019

CVE-2019-19919

CRITICAL
CVSS:9.8(Critical)

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow...

CWE-13212019

CVE-2020-12079

CRITICAL
CVSS:10.0(Critical)

Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefore an attacker can conduct a prototype-po...

CWE-13212020

CVE-2020-28269

CRITICAL
CVSS:9.8(Critical)

Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

CWE-13212020

CVE-2020-28270

CRITICAL
CVSS:9.8(Critical)

Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution.

CWE-13212020