CVE-2025-68385
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in Vega visualization components that allows authenticated users to inject malicious scripts into web content. The vulnerability bypasses previous XSS mitigations and affects Kibana users with authenticated access. Successful exploitation could lead to session hijacking, data theft, or unauthorized actions.
💻 Affected Systems
- Elastic Kibana
📦 What is this software?
Kibana by Elastic
Kibana by Elastic
Kibana by Elastic
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, gain full administrative access to Kibana, exfiltrate sensitive data, and potentially pivot to other systems in the environment.
Likely Case
Authenticated attackers could steal other users' session tokens, perform actions on their behalf, or capture sensitive information displayed in Kibana dashboards.
If Mitigated
With proper network segmentation, strong authentication controls, and content security policies, the impact is limited to the Kibana instance itself.
🎯 Exploit Status
Exploitation requires authenticated access; the vulnerability bypasses existing XSS mitigations making exploitation easier than typical XSS
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kibana 8.19.9, 9.1.9, 9.2.3
Vendor Advisory: https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-34/384182
Restart Required: Yes
Instructions:
1. Identify your Kibana version. 2. Upgrade to Kibana 8.19.9, 9.1.9, or 9.2.3 depending on your current version track. 3. Restart Kibana service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Vega Visualization Access
allLimit which users can create or modify Vega visualizations to reduce attack surface
Configure Kibana role-based access control to restrict Vega visualization permissions
Implement Content Security Policy
allAdd CSP headers to restrict script execution from untrusted sources
Add 'Content-Security-Policy' header with appropriate directives to Kibana configuration
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Kibana instances from sensitive systems
- Enforce strong authentication controls and monitor for suspicious user activity
🔍 How to Verify
Check if Vulnerable:
Check Kibana version via web interface or API; versions prior to 8.19.9, 9.1.9, or 9.2.3 are vulnerableCheck Version:
curl -X GET "http://localhost:5601/api/status" | grep "number"Verify Fix Applied:
Verify Kibana version shows 8.19.9, 9.1.9, or 9.2.3 after upgrade📡 Detection & Monitoring
Log Indicators:
- Unusual Vega visualization creation/modification patterns
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unexpected outbound connections from Kibana server
- Suspicious payloads in HTTP requests to visualization endpoints
SIEM Query:
source="kibana.log" AND ("vega" OR "visualization") AND ("create" OR "update") | stats count by user, src_ip