Cross-Site Scripting Vulnerability in Grafana by Grafana Labs
CVE-2025-4123

7.6HIGH

Key Information:

Vendor

Grafana
Status
Grafana
Vendor
CVE Published:
22 May 2025

Badges

πŸ”₯ Trending nowπŸ“ˆ TrendedπŸ“ˆ Score: 1,500πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2025-4123?

CVE-2025-4123 is a vulnerability within the Grafana platform, which is a widely used open-source analytics and monitoring solution. Grafana allows organizations to visualize and analyze metrics from various data sources, making it a critical tool for operational intelligence. The identified vulnerability is a cross-site scripting (XSS) flaw caused by the combination of a client path traversal issue and an open redirect. This vulnerability can have severe implications, as it enables attackers to redirect users to malicious websites that host frontend plugins capable of executing arbitrary JavaScript code. Notably, the exploitation of this vulnerability does not require elevated permissions, and if anonymous access is enabled within the Grafana instance, the risk is heightened significantly. Further complicating the situation, if the Grafana Image Renderer plugin is installed, attackers could leverage this flaw to perform a server-side request forgery (SSRF) attack, allowing them to read potentially sensitive internal resources.

Potential impact of CVE-2025-4123

  1. Unauthorized Script Execution: The XSS vulnerability could allow attackers to execute arbitrary JavaScript in the context of authenticated users' sessions. This can lead to data theft, manipulation, or unauthorized actions being taken on behalf of the user.

  2. Data Exposure and SSRF Risks: With the capability to perform server-side request forgery if the appropriate plugin is installed, attackers may access internal services that should remain protected from external threats. This could result in data leakage or further exploitation of the network.

  3. Reputation and Trust Damage: For organizations using Grafana, any successful exploitation could undermine trust with customers and stakeholders, leading to reputational damage and potential financial losses due to remediation and recovery efforts.

Affected Version(s)

Grafana 10.4.18+security-01 < 10.4.19

Grafana 11.2.9+security-01 < 11.2.10

Grafana 11.3.6+security-01 < 11.3.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-4123
Created by NightBloodz

CVE-2025-4123
Created by kk12-30

News Articles

favicon imageGBHackers News

Grafana Zero-Day Vulnerability Allows Attackers to Redirect Users to Malicious Sites

The High-severity XSS vulnerability has been discovered in Grafana, prompting the immediate release of security patches.

3 days ago

References

https://grafana.com/security/security-advisories/cve-2025...

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by GBHackers News

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-4123 : Cross-Site Scripting Vulnerability in Grafana by Grafana Labs