Description
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.
The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
Product(s):
- Grafana 10.0.0
- GRAFANA > grafana 10.*.*
- Grafana 10.0.12
- Grafana 10.1.0
- Grafana 10.2.0
- Grafana 10.2.5
- Grafana 10.3.0
- Grafana 10.3.4
- Grafana 10.4.0
- Grafana 11.0.0
- GRAFANA > grafana 11.*.*
- +522 additional
Question to Ask Vendors:
- Have you upgraded all instances of Grafana to versions 10.4.18+security-01, 11.2.9+security-01, 11.3.6+security-01, 11.4.4+security-01, 11.5.4+security-01, 11.6.1+security-01, or 12.0.0+security-01 to mitigate the risk of CVE-2025-4123?
- Have you implemented strict whitelists of allowed plugin sources and required explicit admin approval to prevent the loading of malicious frontend plugins as described in the CVE-2025-4123 advisory?
- Have you disabled anonymous access and hardened redirects by restricting or removing unneeded open-redirect endpoints via server or proxy rules to prevent potential XSS attacks and full-read SSRF as recommended in the advisory?
- Have you extended your Content-Security-Policy to disallow connect-src to untrusted hosts entirely, as a measure to block most script sources and mitigate the risk of the bypass described in the CVE-2025-4123 advisory?
Recommended Actions:
- CSP Reinforcement: Extend your Content-Security-Policy to disallow connect-src to untrusted hosts entirely.
- Disable Anonymous Access: Turn off anonymous viewing if it’s not essential.
- Harden Redirects: Restrict or remove unneeded open-redirect endpoints via server or proxy rules.
- Monitor for Abuse: Look for unusual plugin-loading URLs or requests hitting the open-redirect and Image Renderer endpoints.
- Plugin Whitelisting: Enforce strict whitelists of allowed plugin sources and require explicit admin approval.
- Upgrade Immediately: Apply the security-only patches in 10.4.18+security-01, 11.2.9+security-01, 11.3.6+security-01, 11.4.4+security-01, 11.5.4+security-01, 11.6.1+security-01, or 12.0.0+security-01, depending on your version line.
References:
- http://webappsec.pbworks.com/Cross-Site+Scripting
- https://capec.mitre.org/data/definitions/209.html
- https://capec.mitre.org/data/definitions/588.html
- https://capec.mitre.org/data/definitions/591.html
- https://capec.mitre.org/data/definitions/592.html
- https://capec.mitre.org/data/definitions/63.html
- https://capec.mitre.org/data/definitions/85.html
- https://github.com/NightBloodz/CVE-2025-4123
- https://grafana.com/security/security-advisories/cve-2025-4123/
- https://nvd.nist.gov/vuln/detail/CVE-2025-4123
- https://www.broadcom.com/support/security-center/protection-bulletin/cve-2025-4123-grafana-xss-and-full-read-ssrf-vulnerability