Full Report
Some 36% of Grafana instances are vulnerable to account takeover bug, putting DevOps teams at risk
Analysis Summary
# Vulnerability: Grafana Cross-Site Scripting via Path Traversal and Open Redirect (The Grafana Ghost)
## CVE Details
- CVE ID: CVE-2025-4123
- CVSS Score: High (Specific score not provided, but context indicates high severity requiring immediate patching)
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., XSS)
## Affected Systems
- Products: Grafana (Open source analytics and visualization platform)
- Versions: Specific vulnerable versions are not detailed in the summary, but it affects versions patched in May. Users are urged to update immediately.
- Configurations: Vulnerability is exploitable if anonymous access is enabled. Impact is increased if the Grafana Image Renderer plugin is installed.
## Vulnerability Description
This vulnerability, dubbed "the Grafana Ghost," is a chaining flaw involving a Cross-Site Scripting (XSS) bug caused by the combination of a client-side path traversal and an open redirect vulnerability. An attacker can send a link that redirects users to a website hosting a malicious frontend plugin. When this plugin executes, it runs arbitrary JavaScript in the context of the victim's session. If the Grafana Image Renderer plugin is present, the open redirect can allegedly be leveraged to achieve a Server-Side Request Forgery (SSRF) that allows for full read capabilities.
Crucially, this vulnerability **does not require editor permissions** to exploit.
## Exploitation
- Status: Implied high risk, patched in May, suggesting active defense is necessary against pre-patch exploitation.
- Complexity: Low (Requires sending a malicious link to the victim, execution occurs upon click if configs allow).
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary JavaScript execution allows for session hijacking or stealing information).
- Integrity: High (Arbitrary JavaScript execution allows modification of UI or user behavior).
- Availability: Potential impact if SSRF is leveraged with the Image Renderer plugin.
## Remediation
### Patches
- Specific patch versions are not listed, but the vulnerability was discovered and **patched in May**. Users must ensure they install the release that followed the May advisory from Grafana.
### Workarounds
- Disable anonymous access to Grafana instances where immediate patching is not possible.
- Ensure the Grafana Image Renderer plugin is not installed if patching is delayed.
## Detection
- Indicators of Compromise: Unexpected redirection of users upon link clicks; execution of unknown JavaScript in the Grafana UI context.
- Detection methods and tools: Monitoring access logs for requests leading to path traversal anomalies or attempts to load external plugins upon user interaction.
## References
- Vendor advisories: Refer to the official Grafana security advisories published around May [Year of vulnerability discovery].
- Relevant links:
- infosecurity-magazine dot com/news/over-third-grafana-instances/