EXECUTIVE SUMMARY:
Researchers uncovered two security vulnerabilities in Kibana, the visualization dashboard component of the Elastic Stack, which could allow attackers to perform server-side request forgery and DOM-based cross-site scripting attacks. The flaws affect multiple versions of Kibana deployed on both Elastic Cloud and self-hosted environments. The first issue, caused by improper origin validation in the Observability AI Assistant, could allow attackers to send forged HTTP requests to access internal data. The second, more severe issue lies in Kibana’s Vega visualization engine, where inadequate input sanitization could enable execution of malicious JavaScript code in the victim’s browser. Since Vega is enabled by default, nearly all Kibana instances are at risk unless administrators disable the feature. Elastic has patched these issues in latest versions, urging all users to update or apply temporary mitigations immediately.
The vulnerabilities in Kibana highlight the risks of insufficient input validation and default-enabled features. Upgrading to the patched versions is essential to prevent potential SSRF and XSS exploitation.
RECOMMENDATION:
We strongly recommend you update Kibanas Elastic Cloud and self-hosted environments to versions 8.19.7, 9.1.7, or 9.2.1.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/elastic-patches-two-kibana-flaws-ssrf-cve-2025-37734-and-xss-cve-2025-59840-flaws-affect-multiple-versions/