XSS vulnerability in Grafana- CVE-2025-4123

Vulnerable Version

Grafana versions 10.x, 11.x, and 12.x before v10.4.18+security-01, v11.2.9+security-01, v11.3.6+security-01, v11.4.4+security-01, v11.5.4+security-01, v11.6.1+security-01, and v12.0.0+security-01

Fixed Version

UPdate latest Versions

Base Score

7.8 High                                                                  

Vendor Description:-

Grafana is an open-source analytics and visualization platform that monitors and analyzes metrics from multiple data sources. It offers configurable dashboards with rich visuals such as graphs, charts, and alerts. Grafana integrates with a variety of tools, including Prometheus, InfluxDB, Elasticsearch, and MySQL. It is frequently used in DevOps and cybersecurity to monitor infrastructure, respond to incidents, and analyze performance. Grafana’s role-based access management and plugin support allow teams to communicate productively while gaining meaningful insights from their data.

CVE-2025-4123 Description:-

Grafana provides utilities for managing static resources. staticHandlerIn response to a client request, a file located in a certain path is returned. At this point, opt.FileSystem.Open(file) will return Content if the file is a file, and Redirect if the file is a directory.

During this procedure, the client’s request path is not adequately checked, resulting in an Open Redirect vulnerability that, when paired with XSS, can lead to Account Takeover.

Open Redirect

Logic where open redirects occur http.Redirect()to reach. opt.FileSystem.Open(file)The path contained in the file variable must exist within the file system. fi.IsDir()You should be able to enter the conditional statement.

Therefore, http.Redirect()Of opt.FileSystem.Open(file)You have to manipulate the request path to make it usable in both functions, and the important thing is that we have to do it. ?URL Encoded %3fHere’s it.

  • The above route is interpreted four times using Open(file). / To do this, point to “”. This opens the file handle for the path /staticfiles/etc/etc/ in the code.
  • The function fi.IsDir() returns True, which enters the if statement.
  • http.Redirect(path) is used when processing a string for a location.It is divided into Path and Raw Query, and then it is processed by string, so it can be utilized by the user. /\attacker.com/%3f/../../../..Send it to the location header.

Impact

  • Open Redirect Vulnerability: The flaw allows attackers to craft URLs that force the application to redirect users to malicious external or protocol-relative URLs. This provides a foundation for phishing, social engineering, or more complex exploit chains.
  • Full Read SSRF (Server-Side Request Forgery): By chaining the open redirect with endpoints like /render, authenticated attackers can trick the application into fetching and rendering content from internal network resources, potentially exposing sensitive internal information.
  • Client-Side Path Traversal: Exploits in client-side JavaScript allow traversal that can bypass expected controls, enabling the loading of unexpected server routes and resources.
  • Remote Code Execution via XSS: Through carefully crafted malicious plugins and path traversals, attackers can inject and execute arbitrary JavaScript in a victim’s browser, leading to potential account takeover and further lateral movement.
  • Account Takeover: Successful exploitation lets attackers load and execute hostile scripts, enabling them to change user emails or reset passwords, ultimately gaining unauthorized access to targeted accounts.
  • Multi-Step Exploit Chain: While each bug individually may be moderate, the unique chaining of open redirects, SSRF, and path traversal greatly amplifies the attack’s severity, affecting even authenticated users in sensitive contexts.

Mitigations

  • Strict URL Validation: Ensure all redirect endpoints rigorously validate URL parameters and always resolve to safe, internal paths; reject URLs starting with protocol-relative (//) or encoded path traversal (..%2f) patterns.
  • Sanitize User Input Server-Side and Client-Side: Implement robust input sanitization both at the server/API layer and in client-side code to prevent path traversal and unexpected resource loading.
  • Restrict Sensitive Endpoints: Limit access to powerful endpoints like /render to trusted users or remove them from production deployments if not strictly necessary.
  • Content Security Policy (CSP): Enforce strong CSP headers to restrict the domains from which scripts and plugins can be loaded to mitigate XSS risk.
  • Regular Dependency and Security Reviews: Continuously review and test application logic, particularly in authentication, file handling, and plugin management code, for edge-case vulnerabilities.
  • Prompt Patching and Updates: Monitor advisories for Grafana and patch affected instances immediately upon fix release, as these chained vulnerabilities have high post-disclosure exploitation potential

.

Leave a Reply

Your email address will not be published. Required fields are marked *