Grafana security release: High severity security fix for CVE-2025-4123
Today we are releasing Grafana 12.0.0+security-01 as well as security patches for all supported versions of Grafana. These security releases contain a fix for CVE-2025-4123, a high severity cross-site scripting (XSS) vulnerability that allows attackers to redirect users to malicious websites.
We are publishing the security patches for CVE-2025-4123 one day ahead of schedule because we discovered that this vulnerability has been made public.
We will be releasing the regularly scheduled patch releases for Grafana 12.0 and all supported versions on Thursday, May 22. These patch releases will also include the fix for CVE-2025-4123.
Grafana 12.0.0+security-01, latest release with security patch:
Grafana 11.6.1+security-01 with security patch:
Grafana 11.5.4+security-01 with security patch:
Grafana 11.4.4+security-01 with security patch:
Grafana 11.3.6+security-01 with security patch:
Grafana 11.2.9+security-01 with security patch:
Grafana 10.4.18+security-01 with security patch:
Grafana Cloud instances are not impacted by this vulnerability.
We closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.
XSS vulnerability (CVE-2025-4123)
Summary
On April 26, a bug bounty report identified a cross-site scripting (XSS) vulnerability in Grafana caused by client path traversal and open redirect. This allows attackers to redirect users to malicious websites that execute arbitrary JavaScript code through custom frontend plugins. Unlike many other XSS vulnerabilities, this vulnerability does not require editor permissions. If anonymous access is enabled, the XSS will work.
Note: This can be abused as a full read SSRF if the Grafana Image Renderer plugin is installed.
The CVSS score for this vulnerability is 7.6 HIGH.
Impact
This XSS vulnerability could enable the redirection of users to external websites and the execution of malicious JavaScript within their browsers. Successful exploitation of this vulnerability might result in session hijacking or complete account takeover.
Impacted versions
This vulnerability impacts Grafana OSS and Grafana Enterprise running on all supported versions of Grafana at this time, and unsupported versions going back to at least Grafana 8.
As a reminder, the following versions are supported as of the date of this blog post:
>= Grafana 11.2
>= Grafana 11.3
>= Grafana 11.4
>= Grafana 11.5
>= Grafana 11.6
>= Grafana 12.0
Grafana Cloud users were not impacted by this vulnerability.
Solutions and mitigations
To fully address CVE-2025-4123, please upgrade your Grafana instances.
The alternative is that you can block this attack by adding the default Content Security Policy configuration as suggested in the Grafana docs.
Example:
content_security_policy = true
content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""Timeline and post-incident review
Here is a detailed incident timeline starting from when we originally introduced the issue. All times are in UTC.
- 2025-04-26 15:17 - Bug bounty report created
- 2025-04-28 07:33 - Bug bounty report triaged and confirmed as valid
- 2025-04-30 07:22 - Fix created internally
- 2025-05-01 21:22 - Partners and customers contacted
- 2025-05-06 21:24 - Private releases created
- 2025-05-21 12:09 - Discovery that vulnerability was leaked to public
- 2025-05-21 14:13 - Decision made to release security patches one day ahead of schedule
- 2025-05-21 18:00 - Public release
- 2025-05-21 21:00 - Blog post published
Acknowledgements
This vulnerability was discovered by Alvaro Balada, who notified us through our bug bounty program.
Reporting security issues
If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.
