Grafana Labs has released an emergency security update, Grafana 12.0.0+security-01, along with patches for all currently supported versions, to address a high-severity cross-site scripting (XSS) vulnerability tracked as CVE-2025-4123.
The flaw, which carries a CVSS v3.1 base score of 7.6 (High), was made public before the scheduled disclosure, prompting the company to expedite its patch rollout.
The vulnerability was discovered on April 26, 2025, through a bug bounty report and involves a combination of client path traversal and open redirect issues in Grafana’s custom frontend plugin handling.
This allows attackers to redirect users to malicious websites where arbitrary JavaScript code can be executed within the victim’s browser, potentially resulting in session hijacking or full account takeover.
Technical Details: Exploitation and Impact
CVE-2025-4123 is classified under CWE-79 (Cross-site Scripting) and affects both Grafana OSS and Grafana Enterprise versions from 8.0 up to the latest supported releases, specifically versions 11.2 through 12.0.
The vulnerability arises from improper handling of user-supplied paths in custom frontend plugins, leading to XSS and open redirect scenarios.
A particularly concerning aspect is that if the Grafana Image Renderer plugin is installed, the vulnerability can be leveraged for full-read Server-Side Request Forgery (SSRF).
This expands the attack surface, potentially exposing internal services and sensitive cloud metadata.
The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L, indicating that exploitation requires only user interaction and no special privileges, making it especially dangerous in environments where anonymous access is enabled
Mitigation Steps and Cloud Security
Grafana Labs urges all users to upgrade their instances to the patched versions immediately. Supported patched versions include:
- Grafana 12.0.0+security-01
- Grafana 11.6.1+security-01
- Grafana 11.5.4+security-01
- Grafana 11.4.4+security-01
- Grafana 11.3.6+security-01
- Grafana 11.2.9+security-01
- Grafana 10.4.18+security-01
As an additional mitigation, administrators can enforce a strict Content Security Policy (CSP) by enabling the following configuration in their Grafana settings:
textcontent_security_policy = true
content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""
Grafana Cloud instances, including managed offerings from Amazon and Azure, are not impacted by this vulnerability, as providers received early notification and confirmed the security of their platforms at the time of announcement.
Grafana Labs credits security researcher Alvaro Balada for reporting the vulnerability and reminds users to report any suspected security issues via their responsible disclosure program.
With the public disclosure of CVE-2025-4123, immediate action is essential to protect Grafana deployments from potential exploitation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=The flaw, which carries a CVSS v3.1 base score of 7.6 (High), was made public before the scheduled disclosure, prompting the company to expedite its patch rollout.){kind=link}