Cross-Site Scripting Vulnerability in Grafana by Grafana Labs
CVE-2025-4123
Key Information:
Badges
What is CVE-2025-4123?
CVE-2025-4123 is a vulnerability within the Grafana platform, which is a widely used open-source analytics and monitoring solution. Grafana allows organizations to visualize and analyze metrics from various data sources, making it a critical tool for operational intelligence. The identified vulnerability is a cross-site scripting (XSS) flaw caused by the combination of a client path traversal issue and an open redirect. This vulnerability can have severe implications, as it enables attackers to redirect users to malicious websites that host frontend plugins capable of executing arbitrary JavaScript code. Notably, the exploitation of this vulnerability does not require elevated permissions, and if anonymous access is enabled within the Grafana instance, the risk is heightened significantly. Further complicating the situation, if the Grafana Image Renderer plugin is installed, attackers could leverage this flaw to perform a server-side request forgery (SSRF) attack, allowing them to read potentially sensitive internal resources.
Potential impact of CVE-2025-4123
-
Unauthorized Script Execution: The XSS vulnerability could allow attackers to execute arbitrary JavaScript in the context of authenticated users' sessions. This can lead to data theft, manipulation, or unauthorized actions being taken on behalf of the user.
-
Data Exposure and SSRF Risks: With the capability to perform server-side request forgery if the appropriate plugin is installed, attackers may access internal services that should remain protected from external threats. This could result in data leakage or further exploitation of the network.
-
Reputation and Trust Damage: For organizations using Grafana, any successful exploitation could undermine trust with customers and stakeholders, leading to reputational damage and potential financial losses due to remediation and recovery efforts.
Affected Version(s)
Grafana 10.4.18+security-01 < 10.4.19
Grafana 11.2.9+security-01 < 11.2.10
Grafana 11.3.6+security-01 < 11.3.7
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CywareCVE-2025-4123Cyber Security News Today | Articles on Cyber Security, Malware Attack updates | Cyware
Cyber News - Check out top news and articles about cyber security, malware attack updates and more at Cyware.com. Our machine learning based curation engine brings you the top and relevant cyber security content. Read More!
1 week ago
GBHackers NewsCVE-2025-4123Grafana Zero-Day Vulnerability Allows Attackers to Redirect Users to Malicious Sites
The High-severity XSS vulnerability has been discovered in Grafana, prompting the immediate release of security patches.
3 weeks ago
Cyber PressCVE-2025-4123Critical Grafana 0-Day Flaw Enables Attackers to Redirect Users to Malicious Sites
The flaw, which carries a CVSS v3.1 base score of 7.6 (High), was made public before the scheduled disclosure, prompting the company to expedite its patch rollout.
3 weeks ago
References
CVSS V3.1
Timeline
- π
Vulnerability started trending
- π‘
Public PoC available
- πΎ
Exploit known to exist
- π°
First article discovered by Cyber Press
Vulnerability published
Vulnerability Reserved