Grafana Flaws Allow User Redirection and Code Execution in Dashboards

Grafana Labs has released critical security patches addressing two significant vulnerabilities that could enable attackers to redirect users to malicious websites and execute arbitrary code within dashboard environments.

The security update addresses CVE-2025-6023, a high-severity cross-site scripting (XSS) vulnerability, and CVE-2025-6197, a medium-severity open redirect flaw, both discovered through the company’s bug bounty program.

Critical XSS Vulnerability Enables Code Execution

The more severe vulnerability, CVE-2025-6023, represents a cross-site scripting attack vector that exploits client path traversal and open redirect mechanisms within Grafana’s scripted dashboards functionality.

This vulnerability carries a CVSS score of 7.6 and poses particular risks because it does not require editor permissions to execute.

When anonymous access is enabled, the XSS vulnerability becomes immediately exploitable, allowing attackers to redirect users to malicious websites that can execute arbitrary JavaScript code.

The vulnerability affects Grafana Cloud users due to the absence of a connect-src directive in the Content-Security-Policy, which is necessary to prevent attackers from fetching external JavaScript resources.

While attackers do not need direct access to the Grafana instance to craft malicious payloads, victims must be authenticated with at least Viewer permissions for the arbitrary JavaScript execution to succeed. Successful exploitation could result in session hijacking or complete account takeover.

CVE-2025-6197, the medium-severity vulnerability with a CVSS score of 4.2, stems from flaws in Grafana’s organization switching functionality.

This open redirect vulnerability requires specific conditions for exploitation: the Grafana instance must have multiple organizations, the targeted user must be a member of both organizations involved in the switch, and the attacker must know the organization ID currently being viewed.

Grafana Cloud users are not affected by this particular vulnerability since the cloud service does not support Organizations.

Grafana Labs has released security patches for versions 12.0.x, 11.6.x, 11.5.x, 11.4.x, and 11.3.x. The vulnerabilities were discovered by security researchers Hoa X. Nguyen from OPSWAT and Dat Phung through the company’s bug bounty program.

For organizations unable to immediately upgrade, Grafana recommends implementing Content Security Policy configurations or blocking specific URL patterns as temporary mitigation measures.

These vulnerabilities highlight the importance of maintaining updated Grafana installations and implementing robust security policies.

The rapid response from Grafana Labs, including coordinated disclosure with cloud providers and advance notification to customers, demonstrates effective vulnerability management practices.

Organizations should prioritize upgrading to the latest security-patched versions to prevent potential exploitation of these critical flaws.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now