Elastic Safety has disclosed important vulnerabilities affecting Kibana that might allow attackers to execute Server-Facet Request Forgery (SSRF) and Cross-Web site Scripting (XSS) assaults towards susceptible deployments.
The vulnerabilities stem from insufficient origin validation within the Observability AI Assistant part.
The first vulnerability, tracked as CVE-2025-37734 beneath Elastic Safety Advisory ESA-2025-24, includes an origin validation error in Kibana.
This flaw permits attackers to forge Origin HTTP headers, bypassing safety controls designed to forestall unauthorized requests from exterior sources.
By exploiting this weak point, malicious actors can craft requests that trick Kibana into sending requests to unintended locations or executing unintended actions.
FieldDetailsCVE IDCVE-2025-37734Vulnerability TypeOrigin Validation Error (SSRF)CVSS Score4.3 (Medium)Assault VectorNetworkAffected Versions8.12.0-8.19.6, 9.1.0-9.1.6, 9.2.0Patch Versions8.19.7, 9.1.7, 9.2.1
The SSRF vulnerability allows attackers to entry inside community sources or providers that ought to stay remoted from exterior entry.
This will result in info disclosure, lateral motion inside networks, or additional exploitation of backend techniques.
The vulnerability impacts a number of Kibana variations, making it a widespread concern for organizations operating affected deployments.
Elastic researchers report that the vulnerability solely impacts deployments actively utilizing the Observability AI Assistant characteristic. The vulnerability impacts: Kibana 8.12.0 via 8.19.6, Kibana 9.1.0 via 9.1.6, and Kibana 9.2.0.
Organizations with out this part enabled are usually not affected by this flaw, which has a medium severity ranking (CVSS v3.1 rating of 4.3).
Whereas this will appear average, the affect shouldn’t be underestimated given the potential for unauthorized inside community entry and knowledge manipulation.
Elastic has launched patched variations addressing this vulnerability. Organizations ought to instantly improve to: Kibana 8.19.7, Kibana 9.1.7, and Kibana 9.2.1.
Elastic Cloud Serverless prospects are already protected, as steady deployment and patching fashions remediated this vulnerability earlier than public disclosure.
Organizations unable to improve instantly ought to think about turning off the Observability AI Assistant characteristic till patches will be utilized.
Moreover, implementing community segmentation and entry controls may also help restrict the potential affect of SSRF exploitation.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
