CVE-2025-11539
Published: 09 October 2025
Summary
CVE-2025-11539 is a critical-severity Code Injection (CWE-94) vulnerability in Grafana Image Renderer (inferred from references). Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation of the arbitrary file write flaw through patching to grafana-image-renderer 4.0.17 or later.
Addresses the root cause by enforcing validation of the unvalidated filePath parameter in the /render/csv endpoint to block arbitrary file writes.
Prevents exploitation by requiring management and replacement of the default authToken, blocking unauthorized access to the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution through exploitation of a public-facing web endpoint (/render/csv) in Grafana Image Renderer, allowing arbitrary file writes of malicious shared objects loaded by Chromium, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared…
more
object to an arbitrary location that is then loaded by the Chromium process. Instances are vulnerable if: 1. The default token ("authToken") is not changed, or is known to the attacker. 2. The attacker can reach the image renderer endpoint. This issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.
Deeper analysisAI
CVE-2025-11539 is a remote code execution vulnerability in Grafana Image Renderer, stemming from an arbitrary file write flaw in the /render/csv endpoint. The endpoint fails to validate the filePath parameter, enabling an attacker to save a malicious shared object to an arbitrary location on the filesystem. This object is subsequently loaded by the underlying Chromium process, leading to code execution. The issue affects versions of grafana-image-renderer from 1.0.0 through 4.0.16 and has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), mapped to CWE-94 (Code Injection).
An attacker can exploit this vulnerability if they know or guess the authentication token—defaults to "authToken" if unchanged—and have network access to the image renderer endpoint. Exploitation requires low privileges (PR:L), with no user interaction needed. Successful attacks grant remote code execution on the host running the renderer, potentially allowing full system compromise due to the scope change (S:C) and high impacts on confidentiality, integrity, and availability.
Mitigation details are available in the Grafana security advisory at https://grafana.com/security/security-advisories/cve-2025-11539/ and the release notes for version 4.0.17 at https://github.com/grafana/grafana-image-renderer/releases/tag/v4.0.17, which addresses the validation flaw. Security practitioners should upgrade to grafana-image-renderer 4.0.17 or later and change the default authToken.
Details
- CWE(s)