CVE-2025-4123
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in Grafana that combines client path traversal with open redirect. Attackers can redirect users to malicious websites hosting frontend plugins that execute arbitrary JavaScript, potentially leading to session hijacking or data theft. The vulnerability affects Grafana instances with anonymous access enabled and does not require editor permissions.
💻 Affected Systems
- Grafana
📦 What is this software?
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
⚠️ Risk & Real-World Impact
Worst Case
If Grafana Image Renderer plugin is installed, attackers could achieve full read SSRF, potentially accessing internal systems and sensitive data. Combined with XSS, this could lead to complete account compromise and lateral movement.
Likely Case
Attackers execute arbitrary JavaScript in users' browsers, stealing session cookies, performing actions as the user, or redirecting to phishing sites. Data exfiltration and account takeover are probable outcomes.
If Mitigated
With default CSP enabled, the XSS component is blocked by the connect-src directive, significantly reducing impact to primarily open redirect risks.
🎯 Exploit Status
Exploitation requires combining multiple techniques but is well-documented in the advisory. No authentication needed if anonymous access is enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.4.7, 10.5.9, or 9.5.19
Vendor Advisory: https://grafana.com/security/security-advisories/cve-2025-4123/
Restart Required: Yes
Instructions:
1. Identify your Grafana version. 2. Upgrade to 11.4.7, 10.5.9, or 9.5.19 based on your major version. 3. Restart Grafana service. 4. Verify the fix by checking version and testing functionality.
🔧 Temporary Workarounds
Disable Anonymous Access
allPrevents unauthenticated exploitation by requiring authentication for all access
Set 'allow_anonymous = false' in Grafana configuration file
Ensure Default CSP
allVerify Content-Security-Policy is enabled with default settings to block XSS
Check CSP headers in browser developer tools or Grafana logs
🧯 If You Can't Patch
- Disable anonymous access in Grafana configuration
- Implement network segmentation to isolate Grafana from sensitive internal systems
🔍 How to Verify
Check if Vulnerable:
Check Grafana version against affected versions (before 11.4.7, 10.5.9, 9.5.19). Verify if anonymous access is enabled in configuration.Check Version:
grafana-server -v or check web interface footerVerify Fix Applied:
Confirm version is 11.4.7, 10.5.9, or 9.5.19 or later. Test that anonymous access restrictions work as intended.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in access logs
- Requests to unexpected frontend plugin URLs
- CSP violation reports in browser console logs
Network Indicators:
- Unexpected outbound connections from Grafana server
- Redirects to external domains from Grafana endpoints
SIEM Query:
source="grafana" AND (url="*redirect*" OR url="*plugin*" OR status=302)