A high-severity cross-site scripting (XSS) vulnerability in Grafana could allow attackers to redirect users to malicious websites. 

The vulnerability, tracked as CVE-2025-4123 received a CVSS score of 7.6 (HIGH), allows attackers to exploit client path traversal and open redirect to execute arbitrary JavaScript code through custom frontend plugins.

The vulnerability was initially scheduled for patching on May 22, but was released early after the vulnerability was leaked to the public.

Security researcher Alvaro Balada discovered and reported the vulnerability in Grafana through the company’s bug bounty program. 

Grafana XSS Vulnerability

The vulnerability is particularly dangerous because, unlike many other XSS vulnerabilities in Grafana, it doesn’t require editor permissions to exploit.

If anonymous access is enabled on a Grafana instance, the XSS attack will work without any authentication required. 

This significantly expands the potential attack surface for many organizations using Grafana for their monitoring solutions.

The vulnerability impacts Grafana OSS and Grafana Enterprise across all currently supported and unsupported versions going back to at least Grafana 8. 

However, Grafana Cloud instances are not affected by this vulnerability, as confirmed by Grafana Labs.

The technical ramifications of this vulnerability extend beyond simple XSS attacks. When combined with the Grafana Image Renderer plugin, the vulnerability can be abused as a full read Server-Side Request Forgery (SSRF). 

This combination allows attackers to potentially expose internal services and cloud metadata, creating significant security risks for affected organizations.

Successful exploitation could lead to session hijacking or complete account takeover. The vulnerability stems from improper handling of user-supplied paths in custom frontend plugins, creating both XSS and open redirect issues.

The vulnerability follows a similar pattern to previous Grafana security issues, where path traversal and redirection vulnerabilities have been exploited. 

In 2021, Grafana faced a similar zero-day vulnerability (CVE-2021-43798) that allowed attackers to traverse outside the Grafana folder and remotely access restricted files.

Risk FactorsDetailsAffected Products– Grafana OSS & Enterprise: Versions 8.0+ to 12.0.0 – Red Hat Enterprise Linux: 8 (EL8), 9 (EL9), 10 (EL10) Impact– Cross-site scripting (XSS) enabling arbitrary JavaScript execution – Session hijacking or account takeover – Server-Side Request Forgery (SSRF) via Grafana Image Renderer pluginExploit Prerequisites– Anonymous access enabled in Grafana – Use of custom frontend plugins – Grafana Image Renderer plugin (for SSRF escalation)CVSS 3.1 Score7.6 (High)

Available Patches

Grafana Labs has released patched versions for all supported releases: Grafana 12.0.0+security-01, 11.6.1+security-01, 11.5.4+security-01, 11.4.4+security-01, 11.3.6+security-01, 11.2.9+security-01, and 10.4.18+security-01. 

Organizations running affected versions should update immediately.

For organizations that cannot immediately upgrade, an alternative mitigation is available by implementing a Content Security Policy configuration in the Grafana configuration file (grafana.ini):

This CSP configuration helps block the attack vector even on vulnerable versions. 

Red Hat has also released security updates for affected versions in Enterprise Linux 8, 9, and 10 through security advisories.

Organizations should also consider reviewing their anonymous access settings and implementing additional security controls like a reverse proxy in front of Grafana instances.

Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free