CVE-2025-25012

Published: Jun 25, 2025Modified: Sep 30, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.

Affected (4)

Products: Elastic: Kibana

Elastic

1 product

Kibana

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Elastic Kibana	From 7.0.0 to 7.17.29
Elastic Kibana	From 8.0.0 to 8.17.8
Elastic Kibana	From 8.18.0 to 8.18.3
Elastic Kibana	From 9.0.0 to 9.0.3

Related CWEs

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (1)

https://discuss.elastic.co/t/kibana-7-17-29-8-17-8-8-18-3-9-0-3-security-update-esa-2025-10/379444

Source: security@elastic.co

Issue TrackingPatchVendor Advisory

Timeline

No history available yet.