CVE-2025-25014: A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine lea
Summary
CVE-2025-25014 is a prototype pollution vulnerability (a type of bug where an attacker modifies the basic template that objects are built from) in Kibana that allows attackers to execute arbitrary code (run commands they shouldn't be able to run) by sending specially crafted HTTP requests (malicious web requests) to machine learning and reporting endpoints. The vulnerability affects multiple versions of Kibana and was identified by Elastic.
Solution / Mitigation
A security update is available from Elastic for Kibana versions 8.17.6, 8.18.1, or 9.0.1, as referenced in the Elastic vendor advisory at https://discuss.elastic.co/t/kibana-8-17-6-8-18-1-or-9-0-1-security-update-esa-2025-07/377868.
Vulnerability Details
9.1(critical)
EPSS: 2.5%
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne
CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-25014
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 75%