The following issues may affect your Liferay-Elastic stack.

Vulnerability Information

CVE	Severity	Vulnerability Summary	Affected Product	Affected Versions	Solutions & Mitigations
CVE-2025-25012	CVSSv3.1: 9.9(Critical)	Kibana arbitrary code execution via prototype pollution	Kibana	8.15.0 through 8.17.2	Users should upgrade to Kibana version 8.17.3.

 

Additional Information

General note on CVEs affecting Kibana: Liferay DXP (and the Liferay Enterprise Search Monitoring application, which integrates Kibana's UI as a proxy) does not include the Kibana application binaries. Therefore, Kibana cannot be patched or updated through Liferay hotfixes or quarterly releases. Liferay does not possess additional vulnerability and exploitability information beyond that provided in public security alerts by Elastic.

Search Engine Compatibility

Liferay recommends that customers upgrade their production Elastic Stack to the latest available and compatible version. Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required quarterly release/update versions and patch levels.

---

• Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.