What is CVE-2024-12556?

CVE-2024-12556 is a high-severity vulnerability in Elastic Kibana, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 8.7/10. Published 2025-04-08.

How severe is CVE-2024-12556?

High severity. CVSS v3 base score is 8.7 out of 10.

Is CVE-2024-12556 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Prototype Pollution in Elastic Kibana

CVE-2024-12556

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.

Vulnerability class: Prototype Pollution

EPSS: 0.006 (69.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.7 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N.

Affected products

Elastic Kibana — versions 8.16.1

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

Public proof-of-concept exploits

ARPSyndicate/cve-scores

References

discuss.elastic.co/t/kibana-8-16-4-and-8-17-2-security-update-esa-2025-02/376918

Frequently asked questions

What is CVE-2024-12556?: CVE-2024-12556 is a high-severity vulnerability in Elastic Kibana, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 8.7/10. Published 2025-04-08.
How severe is CVE-2024-12556?: High severity. CVSS v3 base score is 8.7 out of 10.
Is CVE-2024-12556 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.