Grafana Zero-Day Vulnerability Allows Attackers to Redirect Users to Malicious Sites

The High-severity cross-site scripting (XSS) vulnerability has been discovered in Grafana, prompting the immediate release of security patches across all supported versions.

The vulnerability (CVE-2025-4123) enables attackers to redirect users to malicious websites where arbitrary JavaScript code can be executed.

Grafana Labs has released patches ahead of schedule after discovering the vulnerability had been publicly exposed, potentially putting users at risk.

The recently discovered vulnerability in Grafana, assigned CVE-2025-4123 with a CVSS score of 7.6 (HIGH), allows attackers to perform client path traversal and open redirect attacks.

Unlike typical XSS vulnerabilities, this security flaw doesn’t require editor permissions to exploit, making it particularly dangerous.

If anonymous access is enabled on a Grafana instance, the vulnerability becomes even easier to exploit.

Security researchers have noted that the vulnerability can be weaponized through custom frontend plugins, enabling malicious actors to redirect users to external websites where harmful JavaScript could be executed within their browsers.

The consequences could be severe, potentially resulting in session hijacking or complete account takeover.

Additionally, if the Grafana Image Renderer plugin is installed, the vulnerability can be abused as a full read Server-Side Request Forgery (SSRF) attack, further expanding its potential impact.

The vulnerability impacts all supported versions of Grafana OSS and Grafana Enterprise, including versions 11.2 through 12.0, as well as unsupported versions dating back to at least Grafana 8.

However, Grafana Cloud instances remain unaffected by this vulnerability, as confirmed by Grafana Labs.

Cloud providers offering Grafana Cloud Pro, including Amazon Managed Grafana and Azure Managed Grafana, were notified early under embargo and have secured their offerings.

To address the vulnerability, Grafana Labs has released security patches for all supported versions: 12.0.0+security-01, 11.6.1+security-01, 11.5.4+security-01, 11.4.4+security-01, 11.3.6+security-01, 11.2.9+security-01, and 10.4.18+security-01.

Organizations running vulnerable versions should upgrade immediately to the corresponding patched version.

For those unable to upgrade immediately, an alternative mitigation involves implementing the default Content Security Policy configuration as detailed in the Grafana documentation, which can effectively block the attack vector.

Response Timeline and Bug Bounty Discovery

The vulnerability was initially reported through Grafana’s bug bounty program by security researcher Alvaro Balada on April 26, 2025. Within two days, the Grafana security team had triaged and confirmed the vulnerability, and by April 30, an internal fix had been created.

Partners and customers were contacted on May 1, with private releases created by May 6.

The planned public release was accelerated when Grafana Labs discovered on May 21 that details of the vulnerability had leaked to the public.

This prompted an immediate decision to release security patches one day ahead of schedule, with the public release occurring on May 21 at 18:00 UTC, followed by an official announcement three hours later.

Grafana Labs continues to encourage security researchers to report vulnerabilities through their official bug bounty program and reminds users to follow their security announcements blog for updates on security patches and best practices.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!