React Router DOM v5 Compat Library Exposes Critical 8.0 CVSS Vulnerabilities in Kibana Project

A critical security exposure has been flagged within a prominent Kibana-related project, directly linked to a widely used React library. The dependency `react-router-dom-v5-compat-6.12.0.tgz` contains two vulnerabilities, with the highest severity scoring a maximum 8.0 on the CVSS scale. Crucially, these flaws are marked as 'reachable,' indicating they are not just dormant code but potentially exploitable pathways within the application's runtime. This discovery was made in the HEAD commit of the `amaybaum-prod/kibana-rnorris-wildemat` repository, placing a live project under immediate security scrutiny.

The specific vulnerabilities are tracked as CVE-2025-68470 and another unspecified CVE. The presence of a CVSS score of 8.0 signifies a high-severity risk, often involving issues that could lead to unauthorized access, data manipulation, or denial of service. The vulnerable library is a compatibility bridge (`v5-compat`) for the popular `react-router-dom` package, a core component for navigation in React applications. Its integration path, defined in the project's `/package.json`, shows the flaw is embedded at the dependency root, affecting any functionality that relies on this routing layer.

This incident highlights the persistent supply chain risks in modern software development, especially for projects built on complex frameworks like Kibana's ecosystem. The 'reachable' designation increases the pressure on maintainers to apply the remediation—likely an upgrade to a patched version of `react-router-dom-v5-compat`. Failure to address these flaws could leave the associated Kibana project open to significant compromise, undermining data visualization and dashboard security. It serves as a stark warning for all teams using similar dependency chains to audit their `package.json` files for this specific vulnerable version.