CVE-2025-4123: 
Grafana vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability (CVE-2025-4123) was discovered in Grafana, disclosed on May 21, 2025. The vulnerability exists in Grafana's custom frontend plugin handling functionality, combining a client path traversal and open redirect vulnerability. This security issue can be exploited without requiring editor permissions and is effective when anonymous access is enabled (Grafana Advisory, NVD).

The vulnerability exists in Grafana's frontend plugin handling system, allowing attackers to redirect users to a website hosting a malicious frontend plugin that can execute arbitrary JavaScript. The vulnerability has received a CVSS v3.1 base score of 7.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L. The default Content-Security-Policy (CSP) in Grafana provides some protection by blocking the XSS through the connect-src directive (Wiz, NVD).

If exploited, the vulnerability can lead to arbitrary JavaScript execution in the context of the user's browser. Additionally, when the Grafana Image Renderer plugin is installed, the open redirect can be leveraged to achieve a full read Server-Side Request Forgery (SSRF). This could potentially lead to unauthorized access to sensitive information and compromise of user sessions (Wiz).

The vulnerability has been fixed in multiple Grafana versions including v10.4.18+security-01, v11.2.9+security-01, v11.3.6+security-01, v11.4.4+security-01, v11.5.4+security-01, v11.6.1+security-01, and v12.0.0+security-01. Users are strongly advised to upgrade to these patched versions to mitigate the vulnerability (Grafana Advisory, Wiz).