Cyber Resilience

CVE-2025-4123

HighPublic PoC

Published: 22 May 2025

Published
22 May 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
EPSS Score 0.0689 91.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4123 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Grafana Grafana. Its CVSS base score is 7.6 (High).

Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A cross-site scripting vulnerability exists in Grafana that combines client-side path traversal with an open redirect. Attackers can redirect users to an attacker-controlled site hosting a frontend plugin that executes arbitrary JavaScript in the victim's browser. The issue affects instances where anonymous access is enabled and does not require editor permissions. When the Grafana Image Renderer plugin is also installed, the open redirect can be leveraged for full-read server-side request forgery.

An unauthenticated attacker can exploit the flaw by crafting a malicious link that triggers the redirect and plugin execution, achieving JavaScript execution or SSRF depending on the environment. The default Content-Security-Policy blocks the XSS via its connect-src directive, limiting impact in standard configurations.

Grafana's security advisory and accompanying blog post detail the issue and recommend applying the fixes released in the May 2025 security update. Administrators should verify plugin installations and review anonymous access settings as part of mitigation.

The EPSS score rose from a low baseline to a peak of 0.2295 on 2026-03-01 before receding to 0.0689, indicating emerging exploitation interest after disclosure. Public exploit code is available on Exploit-DB.

EU & UK References

Vulnerability details

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does…

more

not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

grafana
grafana
10.4.18, 11.2.9, 11.3.6, 11.4.4, 11.5.4 · ≤ 10.4.18 · 11.2.0 — 11.2.9 · 11.3.0 — 11.3.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79 CWE-601

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References