Severity
High
Analysis Summary
CVE-2025-37727 CVSS:5.7
Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API
CVE-2025-25018 CVSS:8.7
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
CVE-2025-25017 CVSS:8.2
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
Impact
- Information Disclosure
- Cross-Site Scripting
Indicators of Compromise
CVE
CVE-2025-37727
CVE-2025-25018
CVE-2025-25017
Affected Vendors
- Elastic
Affected Products
- Elasticsearch 7.0.0 - 7.17.29
- Elasticsearch 8.0.0 - 8.18.7
- Elasticsearch 8.19.0 - 8.19.4
- Elasticsearch 9.0.0 - 9.0.7
- Elasticsearch 9.1.0 - 9.1.4
- Elastic Kibana 7.0.0 - 7.17.29
- Elastic Kibana 8.0.0 - 8.18.7
- Elastic Kibana 8.19.0 - 8.19.4
- Elastic Kibana 9.0.0 - 9.0.7
- Elastic Kibana 9.1.0 - 9.1.4
Remediation
Refer to Elastic Security Advisory for patch, upgrade, or suggested workaround information.