Grafana Vulnerabilities Allow User Redirection to Malicious Sites and Code Execution in Dashboards
Two significant Grafana vulnerabilities that could allow attackers to redirect users to malicious websites and execute arbitrary JavaScript code.
The vulnerabilities, identified as CVE-2025-6023 and CVE-2025-6197, affect multiple versions of Grafana, including 12.0.x, 11.6.x, 11.5.x, 11.4.x, and 11.3.x branches.
Both security flaws were discovered through Grafana’s bug bounty program, with researchers Hoa X. Nguyen from OPSWAT and Dat Phung responsible for the respective discoveries.
Key Takeaways
1. CVE-2025-6023 (XSS) and CVE-2025-6197 (redirect) in Grafana versions have been patched
2. Attackers can redirect users and execute malicious code.
3. Upgrade immediately or apply Content Security Policy mitigations.
High-Severity XSS Vulnerability
The more serious vulnerability, CVE-2025-6023, carries a CVSS score of 7.6 and represents a high-severity cross-site scripting (XSS) attack vector.
This vulnerability exploits client path traversal and open redirect mechanisms, enabling attackers to redirect users to malicious websites that can execute arbitrary JavaScript code within scripted dashboards.
What makes this vulnerability particularly dangerous is that it does not require editor permissions to exploit, and if anonymous access is enabled, the XSS attack becomes immediately viable.
The vulnerability affects Grafana versions >= 11.5.0 and poses significant risks to Grafana Cloud users since their Content-Security-Policy lacks a connect-src directive, which is essential for preventing attackers from fetching external JavaScript.
While attackers do not need direct access to craft payloads, victims must be authenticated with at least Viewer permissions for successful JavaScript execution.
The potential impact includes session hijacking and complete account takeover through malicious script execution.
Medium-Severity Open Redirect Flaw
CVE-2025-6197, with a CVSS score of 4.2, represents a medium-severity open redirect vulnerability within Grafana’s organization switching functionality.
This vulnerability requires specific conditions for exploitation: the Grafana instance must support multiple organizations, the targeted user must be a member of both organizations being switched between, and the attacker must possess knowledge of the organization ID currently being viewed.
Notably, Grafana Cloud users remain unaffected by this particular vulnerability since the platform does not support Organizations.
However, the open redirect mechanism can potentially be chained with other attacks to achieve XSS, similar to the patterns observed in CVE-2025-6023 and the previous vulnerability CVE-2025-4123.
| CVE | Title | Affected Versions | Patched Versions | CVSS 3.1 Score | Severity |
| CVE-2025-6023 | XSS via client path traversal and open redirect | >= Grafana 11.5.0 | 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01, 11.3.8+security-01 | 7.6 | High |
| CVE-2025-6197 | Open redirect via organization switching | >= Grafana 11.5.0 | 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01, 11.3.8+security-01 | 4.2 | Medium |
Patches Available
Grafana Labs has released comprehensive security patches across all affected versions, including Grafana 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01, and 11.3.8+security-01.
For organizations unable to immediately upgrade, temporary mitigation strategies are available.
For CVE-2025-6023, administrators can implement Content Security Policy configurations using the following template:
For CVE-2025-6197, administrators can block Grafana URLs beginning with / (%2F%5C) in their ingress configuration or limit instances to single organization deployments.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
