Over 46,000 internet-facing Grafana servers (≈36 % of those online) are still running versions susceptible to CVE-2025-4123, a high-severity open-redirect that chains into stored cross-site scripting (XSS).
A successful exploit lets an attacker trick any logged-in Grafana user into loading a rogue plugin, hijacking sessions, resetting passwords, and, if the Image Renderer plugin is present, pivoting to full-read SSRF against internal services.
Why it matters
Grafana dashboards often sit at the heart of observability pipelines and are wired to sensitive backend data sources (Prometheus, Loki, cloud metrics, etc.). Compromising an admin account can expose credentials, cloud API keys, and footholds for lateral movement deeper into production.
Public proofs-of-concept are circulating, so patch lag is now the primary driver of risk.
Technical details
CVE/CVSS: CVE-2025-4123 • 8.2 HIGH (Grafana Labs scoring)
Root cause: Combo of client-side path traversal and open-redirect in Grafana’s front-end router lets attackers load arbitrary plugins from attacker-controlled hosts.
Exploit flow:
- Craft URL abusing public/plugins/… route
- Victim (any role, including anonymous) clicks link while logged in
- Malicious plugin loads, runs JavaScript under Grafana origin
- JS alters user e-mail → triggers password-reset or hijacks bearer token.
Impact: Account takeover, stored XSS, credential theft, SSRF to internal metadata endpoints when Image Renderer plugin enabled.
Affected & fixed versions
Upgrade immediately to one of the security builds below (or any later version):
- 10.4.18+security-01
- 11.2.9+security-01 • 11.3.6+security-01 • 11.4.4+security-01 • 11.5.4+security-01 • 11.6.1+security-01
- 12.0.0+security-01 (or newer 12.x releases)
Note: All standard 12.0.0 packages released before 21 May 2025 remain vulnerable.
Detection cues
- Unexpected outbound requests to external domains under the /public/plugins/ path.
- Browser console logs referencing unknown plugin IDs.
- Audit-log entries for user-profile email changes followed by password resets.
- In environments with Image Renderer, watch for renderer pods requesting internal metadata URLs (169.254.169.254, AWS IMDS, GCP metadata).
Mitigation & hardening checklist
- Patch now — apply the security builds or 12.0.1+ as soon as operationally possible.
- Disable anonymous access ( auth.anonymous.enabled = false ) unless absolutely required.
- Restrict plugin loading via plugins.allow_loading_unsigned_plugins = false.
- Strengthen CSP by adding script-src ‘self’ directives to block external JS (helps, but does not replace patching).
- Remove or isolate the Image Renderer plugin if not essential.
OP Innovate’s take
While we can’t confirm active exploitation, public attention around CVE-2025-4123 has grown rapidly following recent disclosures. It’s likely that scanning activity for vulnerable /login and /public/plugins/ paths has increased as a result.
Given the trivial lure (“click to see new dashboard”) and the fact that no credentials are needed, this bug is a strong candidate for inclusion in red-team toolkits and opportunistic attack chains.
Organizations using Grafana in production should prioritize emergency patching, tighten plugin policies, and audit SSO/OAuth tokens issued via the platform.
Need help assessing exposure or closing gaps? OP Innovate’s WASP platform delivers continuous visibility into exploitable vulnerabilities, helping your team prioritize critical risks, validate remediation, and stay ahead of emerging threats like CVE-2025-4123.
