Full Report
A vulnerability exists in Grafana which could result in arbitrary code execution. Grafana is an open-source platform used for visualizing and analyzing time series data. It allows users to connect to various data sources, query and transform data, and create interactive dashboards to monitor and explore metrics, logs, and traces. Successful exploitation could allow an attacker to run malicious plugins and take over user accounts without needing elevated privileges. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
# Vulnerability: Grafana Arbitrary Code Execution via XSS and Open Redirect
## CVE Details
- CVE ID: CVE-2025-4123
- CVSS Score: [Score Not Provided in Text] ([Severity Not Explicitly Provided, but context suggests High])
- CWE: Cross-Site Scripting (CWE likely related to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
## Affected Systems
- Products: Grafana
- Versions: Versions prior to 10.4.19
- Configurations: Exploitable if anonymous access is enabled. Could also affect locally running instances by leveraging local domain names/ports.
## Vulnerability Description
A Cross-Site Scripting (XSS) vulnerability exists in Grafana, stemming from the combination of a client-side path traversal and an open redirect. This flaw allows an attacker to redirect a user to a website hosting a frontend plugin that executes arbitrary JavaScript code. Successful exploitation allows an attacker to run malicious plugins and take over user accounts without requiring editor permissions or elevated privileges. If the Grafana Image Renderer plugin is installed, the open redirect can be leveraged to achieve a Server-Side Request Forgery (SSRF) leading to information disclosure/arbitrary read access.
## Exploitation
- Status: Working exploit demonstrated in local instances by OX Security research team.
- Complexity: Low (Described as "easily weaponized").
- Attack Vector: Network (via redirection to a malicious plugin host, or leveraging anonymous access).
## Impact
- Confidentiality: High (Account takeover, potential SSRF leading to information disclosure).
- Integrity: High (Ability to run malicious plugins, manipulate user sessions).
- Availability: Medium (Potential for disruption through account takeover, though not explicitly stated as a DoS vector).
## Remediation
### Patches
- Upgrade Grafana versions to **10.4.19** or later.
### Workarounds
- Apply the Principle of Least Privilege: Run Grafana software as a non-privileged user to diminish the effect of successful attacks.
- Disable anonymous access if possible (as exploitation is easier when anonymous access is enabled).
## Detection
- **Indicators of Compromise (IoCs):** Examination of logs for unexpected redirects or executions of frontend plugins originating from unexpected sources or URLs that trigger the path traversal/open redirect mechanism. Traffic related to the Grafana Image Renderer plugin performing unusual external requests (potential SSRF).
- **Detection Methods and Tools:** Implement robust vulnerability management processes, focusing on frequent automated patching (Safeguard 7.4). Monitor network traffic for anomalous outbound connections, especially involving the Image Renderer plugin.
## References
- CVE: hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4123
- Grafana Advisory: hXXps://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/
- OX.Security PoC/Details: hXXps://www.ox.security/confirmed-critical-the-grafana-ghost-exposes-36-of-public-facing-instances-to-malicious-account-takeover/#poc