A major security release has been issued for Grafana addressing a high-severity vulnerability identified as CVE-2025-4123. This cross-site scripting (XSS) vulnerability permits attackers to redirect users to malicious websites and execute arbitrary JavaScript, potentially leading to session hijacking and account takeover. The vulnerability affects all supported versions of Grafana OSS and Grafana Enterprise, dating back to Grafana 8. Immediate patching and implementation of security measures are recommended to mitigate risks.
CVE-2025-4123 is a high-severity cross-site scripting (XSS) vulnerability with a CVSS Score of 7.6. It arises from client path traversal and open redirect issues within Grafana's handling of custom frontend plugins. An attacker can exploit this vulnerability to redirect users to malicious sites where arbitrary JavaScript code is executed. If the Grafana Image Renderer plugin is installed, this can escalate to a full read Server-Side Request Forgery (SSRF), allowing account takeover.
The vulnerability was first discovered in unauthenticated endpoints, enabling exploitation without requiring editor permissions if anonymous access is enabled. This makes it particularly dangerous, as it can be exploited broadly without significant barriers. The vulnerability affects all supported versions of Grafana, necessitating immediate attention.
Currently, there are no known reports of active exploitation in the wild for CVE-2025-4123. Tools such as the CVE Exploit in the Wild Finder have not identified any active exploits. Continuous monitoring is advised to promptly detect any potential exploitations.
As of now, no specific Advanced Persistent Threat (APT) groups have been reported to exploit CVE-2025-4123. However, organizations should remain vigilant as APT groups often develop tactics to exploit newly discovered vulnerabilities quickly.
The vulnerability affects all supported versions of Grafana OSS and Grafana Enterprise, starting from Grafana 8 onwards. The specific versions with security patches include Grafana 12.0.0+security-01, 11.6.1+security-01, 11.5.4+security-01, 11.4.4+security-01, 11.3.6+security-01, 11.2.9+security-01, and 10.4.18+security-01. Grafana Cloud instances are not affected.
Immediate upgrade to the patched versions of Grafana is strongly advised to mitigate CVE-2025-4123. Additionally, implementing a default Content Security Policy (CSP) can prevent unauthorized script execution. A recommended CSP configuration involves enabling content_security_policy and setting script-src, object-src, and other directives to restrict resources to trusted sources only. This helps in mitigating the impact of potential XSS attacks.
For more information on the security release, please refer to the official Grafana Labs Security Release: Grafana Security Release for CVE-2025-4123. The vulnerability was initially reported by Alvaro Balada through a bug bounty program. Additional technical insights can be found in Alvaro Balada's Medium article: Grafana CVE-2025-4123: Full Read SSRF & Account Takeover.
At Rescana, we are dedicated to helping you manage third-party risks effectively through our TPRM platform. Should you have any questions regarding this report or require further assistance, please do not hesitate to contact us at ops at rescana.com. We are here to support your cybersecurity needs and ensure the protection of your digital assets.
