Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-12556

CVE-2024-12556: Elastic Kibana RCE Vulnerability

CVE-2024-12556 is a remote code execution vulnerability in Elastic Kibana caused by prototype pollution. Attackers can exploit file upload and path traversal flaws to inject code. This article covers technical details.

Published:

CVE-2024-12556 Overview

CVE-2024-12556 is a critical Prototype Pollution vulnerability in Elastic Kibana that enables attackers to achieve code injection through a combination of unrestricted file upload and path traversal techniques. This vulnerability allows unauthenticated remote attackers to compromise Kibana instances by exploiting the application's JavaScript prototype chain, potentially leading to complete system compromise.

Critical Impact

Unauthenticated remote attackers can achieve arbitrary code execution on vulnerable Kibana servers by chaining prototype pollution with file upload and path traversal vulnerabilities, potentially compromising the entire Elastic Stack deployment.

Affected Products

  • Elastic Kibana (versions prior to 8.16.4)
  • Elastic Kibana (versions 8.17.x prior to 8.17.2)

Discovery Timeline

  • 2025-04-08 - CVE-2024-12556 published to NVD
  • 2025-10-02 - Last updated in NVD database

Technical Details for CVE-2024-12556

Vulnerability Analysis

This vulnerability represents a sophisticated attack chain combining multiple vulnerability classes. The core issue stems from Prototype Pollution (CWE-1321), a JavaScript-specific vulnerability that occurs when an attacker can modify the prototype of a base object, affecting all objects that inherit from it.

In the context of Kibana, this prototype pollution vulnerability is exploitable through a combination of unrestricted file upload functionality and path traversal weaknesses. When successfully exploited, attackers can inject arbitrary properties into JavaScript object prototypes, which then propagate throughout the application, ultimately enabling code injection.

The network-accessible nature of this vulnerability means that any Kibana instance exposed to the network is potentially at risk. The attack requires no authentication and no user interaction, making it particularly dangerous for internet-facing deployments.

Root Cause

The root cause lies in insufficient input validation and sanitization in Kibana's file handling mechanisms. Specifically:

  1. Prototype Pollution: The application fails to properly sanitize user-controlled input before using it to set object properties, allowing attackers to inject the __proto__ or constructor.prototype properties.

  2. Unrestricted File Upload: The file upload functionality does not adequately restrict the types or content of uploaded files, enabling attackers to upload malicious payloads.

  3. Path Traversal: Insufficient validation of file paths allows attackers to write files outside of intended directories, enabling them to place malicious code in executable locations.

Attack Vector

The attack leverages a network-based vector that can be executed remotely without authentication. An attacker would typically:

  1. Identify a vulnerable Kibana endpoint that processes user-supplied JSON data
  2. Craft a malicious payload that pollutes the JavaScript prototype chain
  3. Leverage the unrestricted file upload to introduce malicious content
  4. Use path traversal techniques to place the payload in a location where it will be executed
  5. Trigger code execution through the polluted prototype, achieving remote code execution

The vulnerability mechanism involves manipulating JavaScript's prototype inheritance. When an attacker injects malicious properties into Object.prototype, these properties become available on all JavaScript objects throughout the application. Combined with the file upload and path traversal issues, this allows complete compromise of the affected system. See the Elastic Security Update Advisory for additional technical details.

Detection Methods for CVE-2024-12556

Indicators of Compromise

  • Unusual HTTP requests to Kibana containing __proto__, constructor, or prototype in JSON payloads
  • Unexpected file creation or modification in Kibana installation directories
  • Log entries showing path traversal sequences such as ../ in file upload requests
  • Anomalous process execution originating from the Kibana service

Detection Strategies

  • Monitor Kibana access logs for suspicious POST requests with prototype pollution indicators in request bodies
  • Implement web application firewall (WAF) rules to detect and block requests containing prototype pollution patterns
  • Deploy file integrity monitoring on Kibana installation directories to detect unauthorized modifications
  • Enable and review Kibana audit logs for unusual administrative operations

Monitoring Recommendations

  • Configure SIEM alerts for requests containing prototype pollution signatures targeting Kibana endpoints
  • Implement network traffic analysis to identify exploitation attempts through payload inspection
  • Monitor Kibana process behavior for signs of code injection such as spawning child processes or unusual network connections
  • Establish baseline metrics for Kibana API usage patterns to detect anomalous activity

How to Mitigate CVE-2024-12556

Immediate Actions Required

  • Upgrade Elastic Kibana to version 8.16.4 or 8.17.2 immediately
  • Restrict network access to Kibana instances using firewall rules or network segmentation
  • Implement authentication requirements for all Kibana access if not already in place
  • Review Kibana logs for any signs of prior exploitation attempts

Patch Information

Elastic has released security updates to address this vulnerability. Organizations should update to the following patched versions:

  • Kibana 8.16.x users: Upgrade to version 8.16.4 or later
  • Kibana 8.17.x users: Upgrade to version 8.17.2 or later

For detailed upgrade instructions and additional information, refer to the Elastic Security Update Advisory (ESA-2025-02).

Workarounds

  • Place Kibana behind a reverse proxy that filters requests containing prototype pollution patterns
  • Restrict Kibana access to trusted networks only using firewall rules or VPN requirements
  • Disable or restrict file upload functionality if not operationally required
  • Implement strict Content Security Policy (CSP) headers to limit the impact of potential code injection
bash
# Example: Restrict Kibana network access using iptables
# Allow access only from trusted management network
iptables -A INPUT -p tcp --dport 5601 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5601 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne