CVE-2025-25012 — Open Redirect in Kibana

CWE-601 — Open Redirect CWE-416 — Use After Free CWE-125 — Out-of-bounds Read7 documents6 sources

Severity

5.4MEDIUMNVD

CNA4.3

EPSS

0.3%

top 51.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedJun 25

Latest updateJul 8

Description

URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDelastic/kibana7.0.0 — 7.17.29+3

▶CVEListV5elastic/kibana7.0.0 — 7.17.28+3

Patches

Patch: discuss.elastic.co ↗

🔴Vulnerability Details

GHSA

GHSA-q9rj-xvg6-v42w: URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a↗2025-06-26

▶

CVEList

Kibana Open Redirect↗2025-06-25

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Defender for Endpoint (MDE) - Elevation of Privilege↗2025-07-08

▶

📋Vendor Advisories

Red Hat

kibana: Kibana Open Redirect↗2025-06-25

▶

Microsoft

The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.↗2023-02-14

▶

Microsoft

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24().↗2021-05-11

▶