CVE-2025-25012
published 2025-06-25CVE-2025-25012: URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.39%
30.8th percentile
URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | >= 7.0.0 < 7.17.29 | 7.17.29 |
| elastic | kibana | 7.0.0 – 7.17.28 | — |
| elastic | kibana | >= 8.0.0 < 8.17.8 | 8.17.8 |
| elastic | kibana | 8.0.0 – 8.17.7 | — |
| elastic | kibana | >= 8.18.0 < 8.18.3 | 8.18.3 |
| elastic | kibana | 8.18.0 – 8.18.2 | — |
| elastic | kibana | >= 9.0.0 < 9.0.3 | 9.0.3 |
| elastic | kibana | 9.0.0 – 9.0.2 | — |
| msrc | azl3_hyperv-daemons_6.6.14.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_hyperv-daemons_6.6.92.2-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_hyperv-daemons_5.15.118.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.107.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_kernel_5.10.177.1-1_on_cbl_mariner_1.0 | — | — |
| msrc | cm1_libwebp_1.0.3-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_msrc9.1CRITICAL
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kibana: Kibana Open Redirect
vendor_redhat·2025-06-25·CVSS 4.3
CVE-2025-25012 [MEDIUM] CWE-601 kibana: Kibana Open Redirect
kibana: Kibana Open Redirect
URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.
An open redirect flaw has been discovered in the Kibana interface. An attacker can craft a url which may redirect a user to an arbitrary third party site.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: openshift-logging/kibana6-rhel8 (Logging Subsystem for Red Hat OpenShift) - Fix deferred
Microsoft
The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.
vendor_msrc·2023-02-14·CVSS 4.6
CVE-2023-25012 [MEDIUM] CWE-416 The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.
The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect t
Microsoft
A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24().
vendor_msrc·2021-05-11·CVSS 9.1
CVE-2018-25012 [CRITICAL] CWE-125 A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24().
A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24().
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Remediation: CBL-Mariner
GHSA
GHSA-q9rj-xvg6-v42w: URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a
ghsa_unreviewed·2025-06-26
CVE-2025-25012 [MEDIUM] CWE-601 GHSA-q9rj-xvg6-v42w: URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a
URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.
No detection rules found.
No writeups or analysis indexed.
2025-06-25
Published