CVE-2025-41117 Overview
CVE-2025-41117 is a Cross-Site Scripting (XSS) vulnerability in Grafana's Explore Traces view that allows stack traces to be rendered as raw HTML, enabling the injection of malicious JavaScript in the browser. This vulnerability requires an attacker to inject malicious JavaScript into the stack trace field, which is then executed when a user views the affected trace data.
The vulnerability specifically affects datasources using the Jaeger HTTP API. Jaeger gRPC and Tempo datasources do not appear to be affected by this issue.
Critical Impact
Attackers could execute arbitrary JavaScript in the context of authenticated Grafana users, potentially leading to session hijacking, data theft, or unauthorized actions within the Grafana dashboard.
Affected Products
- Grafana instances using Jaeger HTTP API datasources
- Grafana Explore Traces view functionality
- Environments where untrusted data flows into stack trace fields
Discovery Timeline
- 2026-02-12 - CVE CVE-2025-41117 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2025-41117
Vulnerability Analysis
This XSS vulnerability stems from improper output encoding in Grafana's Explore Traces view when rendering stack trace data. When stack traces are retrieved via the Jaeger HTTP API and displayed to users, the application fails to properly sanitize or escape HTML entities before rendering the content in the browser.
The attack requires user interaction, as a victim must navigate to and view the malicious trace data. However, once triggered, the injected script executes with the full privileges of the authenticated user's session. This could allow attackers to steal session tokens, modify dashboard configurations, access sensitive monitoring data, or perform actions on behalf of the compromised user.
The network-based attack vector combined with the requirement for user interaction and specific preconditions results in a medium severity classification, though the potential for high confidentiality and integrity impact should not be underestimated.
Root Cause
The root cause of this vulnerability is insufficient input sanitization and output encoding in the Explore Traces view component. When stack trace data is received from Jaeger HTTP API datasources, the content is rendered directly as HTML without proper escaping. This allows specially crafted stack trace entries containing HTML tags and JavaScript code to be interpreted and executed by the browser rather than displayed as text.
Attack Vector
An attacker exploiting this vulnerability would need to:
- Gain the ability to inject data into stack trace fields that are stored in a Jaeger backend using the HTTP API
- Craft a malicious payload containing JavaScript embedded within HTML tags
- Wait for or lure a Grafana user to view the trace containing the malicious stack trace data
The injected JavaScript would then execute in the victim's browser within the context of the Grafana application, inheriting all permissions and session credentials of the logged-in user.
The vulnerability manifests when stack trace data containing HTML markup is rendered in the Explore Traces view without proper sanitization. When a user views trace data sourced from a Jaeger HTTP API datasource, any JavaScript embedded in the stack trace field will execute in their browser context. For technical implementation details, see the Grafana Security Advisory CVE-2025-41117.
Detection Methods for CVE-2025-41117
Indicators of Compromise
- Unusual JavaScript patterns or HTML tags appearing in stack trace fields within Jaeger data stores
- Unexpected network requests originating from Grafana user sessions to external domains
- Anomalous user session activity following trace data viewing
- Reports of unexpected browser behavior when viewing specific trace entries
Detection Strategies
- Monitor Jaeger backend logs for stack trace entries containing suspicious HTML or script tags
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Deploy browser-based XSS detection tools that can identify DOM manipulation attempts
- Review access logs for patterns indicating automated injection attempts into trace data
Monitoring Recommendations
- Enable detailed logging on Jaeger HTTP API endpoints to capture incoming trace data
- Configure web application firewall (WAF) rules to detect XSS patterns in trace submissions
- Implement anomaly detection for user session behavior following Explore Traces view access
- Set up alerts for CSP violation reports that may indicate attempted exploitation
How to Mitigate CVE-2025-41117
Immediate Actions Required
- Review and update Grafana to the latest patched version as indicated in the security advisory
- Audit existing trace data in Jaeger backends for suspicious content
- Implement Content Security Policy headers to mitigate the impact of any successful XSS attacks
- Consider temporarily restricting access to the Explore Traces view for untrusted datasources
Patch Information
Grafana has released a security advisory for this vulnerability. Organizations should consult the Grafana Security Advisory CVE-2025-41117 for specific patching instructions and affected version details. Apply the vendor-recommended patches as soon as they are available to remediate this XSS vulnerability.
Workarounds
- Switch affected datasources from Jaeger HTTP API to Jaeger gRPC, which does not appear to be vulnerable
- Implement strict input validation on systems that submit trace data to Jaeger backends
- Deploy a reverse proxy with XSS filtering capabilities in front of Grafana
- Restrict access to the Explore Traces feature to trusted users only until patching is complete
# Example: Add Content Security Policy headers in Grafana configuration
# Edit grafana.ini or use environment variables
[security]
# Enable strict Content Security Policy
content_security_policy = true
content_security_policy_template = """script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline';"""
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
