Executive Summary

A major security release has been issued for Grafana addressing a high-severity vulnerability identified as CVE-2025-4123. This cross-site scripting (XSS) vulnerability permits attackers to redirect users to malicious websites and execute arbitrary JavaScript, potentially leading to session hijacking and account takeover. The vulnerability affects all supported versions of Grafana OSS and Grafana Enterprise, dating back to Grafana 8. Immediate patching and implementation of security measures are recommended to mitigate risks.

Technical Information

CVE-2025-4123 is a high-severity cross-site scripting (XSS) vulnerability with a CVSS Score of 7.6. It arises from client path traversal and open redirect issues within Grafana's handling of custom frontend plugins. An attacker can exploit this vulnerability to redirect users to malicious sites where arbitrary JavaScript code is executed. If the Grafana Image Renderer plugin is installed, this can escalate to a full read Server-Side Request Forgery (SSRF), allowing account takeover.

The vulnerability was first discovered in unauthenticated endpoints, enabling exploitation without requiring editor permissions if anonymous access is enabled. This makes it particularly dangerous, as it can be exploited broadly without significant barriers. The vulnerability affects all supported versions of Grafana, necessitating immediate attention.

Exploitation in the Wild

Currently, there are no known reports of active exploitation in the wild for CVE-2025-4123. Tools such as the CVE Exploit in the Wild Finder have not identified any active exploits. Continuous monitoring is advised to promptly detect any potential exploitations.

APT Groups using this vulnerability

As of now, no specific Advanced Persistent Threat (APT) groups have been reported to exploit CVE-2025-4123. However, organizations should remain vigilant as APT groups often develop tactics to exploit newly discovered vulnerabilities quickly.

Affected Product Versions

The vulnerability affects all supported versions of Grafana OSS and Grafana Enterprise, starting from Grafana 8 onwards. The specific versions with security patches include Grafana 12.0.0+security-01, 11.6.1+security-01, 11.5.4+security-01, 11.4.4+security-01, 11.3.6+security-01, 11.2.9+security-01, and 10.4.18+security-01. Grafana Cloud instances are not affected.

Workaround and Mitigation

Immediate upgrade to the patched versions of Grafana is strongly advised to mitigate CVE-2025-4123. Additionally, implementing a default Content Security Policy (CSP) can prevent unauthorized script execution. A recommended CSP configuration involves enabling content_security_policy and setting script-src, object-src, and other directives to restrict resources to trusted sources only. This helps in mitigating the impact of potential XSS attacks.

References

For more information on the security release, please refer to the official Grafana Labs Security Release: Grafana Security Release for CVE-2025-4123. The vulnerability was initially reported by Alvaro Balada through a bug bounty program. Additional technical insights can be found in Alvaro Balada's Medium article: Grafana CVE-2025-4123: Full Read SSRF & Account Takeover.

Rescana is here for you

At Rescana, we are dedicated to helping you manage third-party risks effectively through our TPRM platform. Should you have any questions regarding this report or require further assistance, please do not hesitate to contact us at ops at rescana.com. We are here to support your cybersecurity needs and ensure the protection of your digital assets.