Critical Kibana Vulnerabilities Allows Heap Corruption and Remote Code Execution

A severe heap corruption vulnerability in Kibana could let attackers achieve remote code execution using specially crafted HTML pages.

The vulnerability, designated as CVE-2025-2135, stems from a Type Confusion flaw in the underlying Chromium engine and carries a maximum CVSSv3.1 score of 9.9, indicating its critical severity level.

Summary
1. Kibana CVE-2025-2135 enables remote code execution via malicious HTML, scoring 9.9/10 severity.
2. PDF/PNG reporting in versions up to 7.17.28, 8.17.7, 8.18.2, and 9.0.2 are vulnerable.
3. Users should upgrade to patched versions (7.17.29, 8.17.8, 8.18.3, or 9.0.3) immediately to eliminate the security risk.
4. Disable reporting by adding xpack.reporting.enabled: false to kibana.yml or restrict report generation access to trusted users only.

Kibana RCE Vulnerability

The security flaw was initially disclosed by Google on March 10, 2025, and affects Kibana’s PDF and PNG reporting functionality through a Type Confusion vulnerability in Chromium. 

Attackers can exploit this weakness by crafting malicious HTML pages that trigger heap corruption when processed during report generation. 

The vulnerability specifically targets the screenshotting and reporting capabilities that rely on Chromium’s headless browser functionality.

The technical impact is substantial, as the CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H indicates network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability. 

This combination makes it particularly dangerous for organizations running vulnerable Kibana instances with reporting capabilities enabled.

Multiple Kibana version ranges are impacted by this vulnerability. Legacy versions up to and including 7.17.28, current 8.x versions from 8.0.0 through 8.17.7, newer 8.18.x versions up to 8.18.2, and the latest 9.x series from 9.0.0 through 9.0.2 all contain the vulnerable code paths.

The vulnerability specifically affects self-hosted Kibana deployments and Elastic Cloud instances where PDF or PNG reporting features are actively used. 

Notably, CSV reporting functionality remains unaffected, and Elastic’s serverless projects are not impacted by this security issue. 

Organizations utilizing these specific reporting formats face the highest risk exposure.

Risk Factors	Details
Affected Products	– Kibana 7.x: up to 7.17.28- Kibana 8.0.0 to 8.17.7- Kibana 8.18.0 to 8.18.2- Kibana 9.0.0 to 9.0.2
Impact	Remote code execution (RCE)
Exploit Prerequisites	– Self-hosted or Elastic Cloud Kibana instance- PDF or PNG reporting functionality enabled- Low-privilege user access (PR:L)- Network accessibility to target system
CVSS 3.1 Score	9.9 (Critical)

Mitigation Strategies

Elastic strongly recommends immediate upgrades to patched versions: 7.17.29, 8.17.8, 8.18.3, or 9.0.3, which contain fixes for CVE-2025-2135. For organizations unable to upgrade immediately, several mitigation options are available.

Self-hosted environments can disable reporting entirely by adding xpack.reporting.enabled: false to the kibana.yml configuration file. 

Alternatively, administrators can implement restrictive network policies using the screenshotting configuration:

Organizations can also limit PDF/PNG report generation access to trusted user accounts through role-based access controls. 

Organizations running Kibana deployments must treat this vulnerability with utmost urgency given its critical severity rating and potential for remote code execution.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now