CVE-2025-37732
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in Kibana's integration package upload functionality that allows authenticated users to inject HTML into other users' browsers. It affects Kibana instances where users can upload integration packages. This vulnerability bypasses a previous fix (ESA-2025-17/CVE-2025-25018) to achieve HTML injection.
💻 Affected Systems
- Elastic Kibana
📦 What is this software?
Kibana by Elastic
Kibana by Elastic
Kibana by Elastic
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal session cookies, perform actions as other users, or redirect users to malicious sites, potentially leading to account compromise or data theft.
Likely Case
An authenticated malicious user injects malicious scripts that execute in other users' browsers, potentially stealing session tokens or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the injected HTML would be rendered harmless as plain text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerability; bypasses previous XSS fix
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kibana 8.19.8, 9.1.8, and 9.2.2 (per ESA-2025-28)
Vendor Advisory: https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-28/384064
Restart Required: Yes
Instructions:
1. Review Elastic advisory ESA-2025-28. 2. Upgrade Kibana to version 8.19.8, 9.1.8, or 9.2.2. 3. Restart Kibana service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable integration package upload
allTemporarily disable the integration package upload functionality if not required
Configuration depends on Kibana deployment; consult Kibana documentation for disabling specific features
Implement WAF rules
allDeploy web application firewall rules to detect and block XSS payloads in upload requests
🧯 If You Can't Patch
- Restrict access to integration package upload functionality to trusted administrators only
- Implement Content Security Policy (CSP) headers to mitigate impact of successful XSS exploitation
🔍 How to Verify
Check if Vulnerable:
Check Kibana version against affected versions in ESA-2025-28; if using integration package upload feature and version is below patched versions, assume vulnerableCheck Version:
curl -X GET "http://localhost:5601/api/status" | grep "number"Verify Fix Applied:
Verify Kibana version is 8.19.8, 9.1.8, or 9.2.2 or higher; test integration package upload functionality with XSS payloads📡 Detection & Monitoring
Log Indicators:
- Unusual integration package uploads with HTML/script content
- Multiple failed upload attempts with suspicious payloads
Network Indicators:
- HTTP POST requests to integration upload endpoints containing script tags or JavaScript
SIEM Query:
source="kibana.log" AND "integration" AND "upload" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")