CVE-2025-37734
published 2025-11-12CVE-2025-37734: Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.
PriorityP420medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.20%
9.7th percentile
Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | — | — |
| elastic | kibana | >= 8.12.0 < 8.19.7 | 8.19.7 |
| elastic | kibana | 8.12.0 – 8.19.6 | — |
| elastic | kibana | >= 9.1.0 < 9.1.7 | 9.1.7 |
| elastic | kibana | 9.1.0 – 9.1.6 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m9mr-r5g3-7p6r: Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant
ghsa_unreviewed·2025-11-12
CVE-2025-37734 [MEDIUM] CWE-346 GHSA-m9mr-r5g3-7p6r: Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant
Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.
Red Hat
kibana: Kibana: Origin Validation Error leads to Server-Side Request Forgery
vendor_redhat·2025-11-12·CVSS 4.3
CVE-2025-37734 [MEDIUM] CWE-346 kibana: Kibana: Origin Validation Error leads to Server-Side Request Forgery
kibana: Kibana: Origin Validation Error leads to Server-Side Request Forgery
Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.
A flaw was found in Kibana. This vulnerability allows Server-Side Request Forgery via a forged Origin HTTP header.
Statement: This vulnerability doesn't affected any supported Red Hat product as this vulnerability affects Kibana through the following versions:
8.12.0 up to and including 8.19.6
9.1.0 up to and including 9.1.6
9.2.0
While the Kibana version shipped with OpenShift Logging 5.8 is Kibana-6.8.1
Package: openshift-logging/kibana6-rhel8 (Logging Subsystem for Red Hat OpenShift) - Not affected
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-12
Published