CVE-2025-8341: 
vulnerability analysis and mitigation

CVE-2025-8341 is a security vulnerability discovered in the Grafana Infinity datasource plugin, which was disclosed on August 4, 2025. The plugin, maintained by Grafana Labs, is designed to visualize data from JSON, CSV, XML, GraphQL, and HTML endpoints. This vulnerability affects the URL restriction functionality in versions prior to 3.4.1 (Grafana Advisory, NVD).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) issue with a CVSS v3.1 base score of 5.0 (Medium). The technical assessment shows that the vulnerability exists in the URL handling mechanism where the plugin was configured to allow only certain URLs. The vulnerability is tracked under CWE-918 (Server-Side Request Forgery) (NVD).

When exploited, this vulnerability could allow an attacker to bypass URL restrictions that were configured in the plugin, potentially enabling unauthorized access to internal resources or services that should have been restricted. The vulnerability has a CVSS environmental scope classified as 'Changed' with Low confidentiality impact (NVD).

The vulnerability has been fixed in version 3.4.1 of the Infinity datasource plugin. The update implements proper URL scheme handling, where URLs specified without http:// or https:// scheme now default to https:// for non-localhost URLs. Users are strongly advised to upgrade to version 3.4.1 or later to address this security issue (Github Release).