Rapid7 Vulnerability & Exploit Database

Kibana Timelion Prototype Pollution RCE

Back to Search

Kibana Timelion Prototype Pollution RCE



Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This leads to an arbitrary command execution with permissions of the Kibana process on the host system. Exploitation will require a service or system reboot to restore normal operation. The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a docker image caused 6 shells. Tested against kibana 6.5.4.


  • h00die
  • Michał Bentkowski
  • Gaetan Ferry






Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/http/kibana_timelion_prototype_pollution_rce
msf exploit(kibana_timelion_prototype_pollution_rce) > show targets
msf exploit(kibana_timelion_prototype_pollution_rce) > set TARGET < target-id >
msf exploit(kibana_timelion_prototype_pollution_rce) > show options
    ...show and set options...
msf exploit(kibana_timelion_prototype_pollution_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security