Cross-Site Scripting Vulnerability in Grafana by Grafana Labs

CVE-2025-41117

What is CVE-2025-41117?

CVE-2025-41117 is a cross-site scripting (XSS) vulnerability affecting Grafana, an open-source platform widely used for data visualization and monitoring across various applications. This vulnerability specifically arises from the incorrect rendering of stack traces in Grafana's Explore Traces view, allowing raw HTML to be executed within the user's browser. When malicious JavaScript is injected into the stack trace field, it can lead to unauthorized actions and potential exposure of sensitive information. Organizations utilizing Grafana for monitoring and analytics may find their systems vulnerable to attacks that leverage this flaw, highlighting the need for immediate attention to ensure the integrity and security of their data visualizations.

Potential impact of CVE-2025-41117

1. Data Exposure: Exploiting this vulnerability could enable attackers to inject malicious scripts, potentially leading to the exfiltration of user credentials or other sensitive information displayed within the Grafana interface.

2. Session Hijacking: Given that malicious JavaScript can run in the context of the user's session, it could facilitate session hijacking, allowing attackers to impersonate legitimate users and gain unauthorized access to restricted data and features.

3. Integrity Compromise: An attacker could manipulate the data rendered in Grafana dashboards or applications that rely on Grafana, leading to misinformed decisions based on altered visualizations or metrics, ultimately compromising the operational integrity of the organization.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References