Grafana Vulnerabilities Allow Code Execution and Malicious Website Redirection

Grafana Labs has issued urgent security patches addressing two significant vulnerabilities affecting multiple versions of the popular monitoring platform.

The company released fixes for CVE-2025-6023, a high-severity cross-site scripting (XSS) vulnerability, and CVE-2025-6197, a medium-severity open redirect flaw, both discovered through their bug bounty program.

These security releases target Grafana versions 12.0.x, 11.6.x, 11.5.x, 11.4.x, and 11.3.x, with patched versions now available for download.

High-Severity XSS Vulnerability Details

CVE-2025-6023 represents a particularly dangerous cross-site scripting vulnerability caused by client path traversal and open redirect mechanisms.

The flaw carries a CVSS score of 7.6 (High) and uniquely does not require editor permissions to exploit, making it accessible even when anonymous access is enabled.

The vulnerability affects Grafana versions 11.5.0 and later, allowing attackers to redirect users to malicious websites that execute arbitrary JavaScript code within scripted dashboards.

The technical nature of this vulnerability stems from the absence of a connect-src directive in the Content-Security-Policy for Grafana Cloud users, enabling attackers to fetch external JavaScript resources.

While attackers don’t need direct access to the Grafana instance to craft payloads, victims must be authenticated with at least Viewer permissions for successful exploitation.

The potential impact includes session hijacking and complete account takeover through malicious JavaScript execution.

Medium-Severity Open Redirect Flaw

CVE-2025-6197 exploits the organization switching functionality in Grafana, carrying a CVSS score of 4.2 (Medium).

This vulnerability requires specific conditions: the Grafana instance must have multiple organizations, the targeted user must be a member of both organizations being switched, and the attacker must know the organization ID currently being viewed.

Notably, Grafana Cloud remains unaffected since it doesn’t support Organizations.

The open redirect vulnerability can be weaponized to achieve XSS attacks similar to CVE-2025-6023 and previous CVE-2025-4123.

Both vulnerabilities were discovered by security researchers Hoa X. Nguyen from OPSWAT and Dat Phun,g respectively, who reported them through Grafana’s bug bounty program in June 2025.

Mitigation Strategies and Timeline

Organizations should immediately upgrade their Grafana instances to the latest patched versions.

For CVE-2025-6023, administrators can implement interim protection by enabling the default Content Security Policy configuration:

textcontent_security_policy = true
content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""

For CVE-2025-6197, administrators can block Grafana URLs starting with /\ (%2F%5C) in ingress configurations, or ensure only one organization exists in the instance.

Grafana Labs customers and cloud providers received advance notification under embargo, ensuring Amazon Managed Grafana and Azure Managed Grafana were secured before public disclosure.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates