{"id":"CVE-2025-4123","details":"A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.\n\nThe default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.","aliases":["BIT-grafana-2025-4123","GHSA-q53q-gxq9-mgrj","GO-2025-3704"],"modified":"2026-04-02T12:48:57.285785Z","published":"2025-05-22T08:15:52.720Z","related":["ALSA-2025:7893","ALSA-2025:7894","SUSE-SU-2025:01985-1","openSUSE-SU-2025:15171-1","openSUSE-SU-2025:15179-1"],"references":[{"type":"ADVISORY","url":"https://grafana.com/security/security-advisories/cve-2025-4123/"},{"type":"ADVISORY","url":"https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grafana/grafana","events":[{"introduced":"0"},{"fixed":"a33fc073bf8b395da943a32c08a1217f7a7a30e0"},{"introduced":"c57667e4481563f5e6cf945b03bc0626caa4dbeb"},{"fixed":"f8ae632c424a8537738ccbab7abb98cf3c9f9a4e"},{"introduced":"d9455ff7db73b694db7d412e49a68bec767f2b5a"},{"fixed":"dd23cb31de627ff9eb6f8cf1e882e7b6256442bf"},{"introduced":"b58701869e1a11b696010a6f28bd96b68a2cf0d0"},{"fixed":"284f22d41bd23c602a14526657f1a3cde2d42bf5"},{"introduced":"f7a938db9ad71c1558e93d8e29e69f42c8a5f50b"},{"fixed":"f974c99f30b1ef9d23792a771ae64f3c851de4a4"},{"introduced":"d2fdff9ee4d75c74bfd3a97c18a0b8e4d029f06e"},{"fixed":"ae23ead4d959aa73a5a0ffada60e4147d679523c"},{"introduced":"0"},{"last_affected":"a33fc073bf8b395da943a32c08a1217f7a7a30e0"},{"introduced":"0"},{"last_affected":"f8ae632c424a8537738ccbab7abb98cf3c9f9a4e"},{"introduced":"0"},{"last_affected":"dd23cb31de627ff9eb6f8cf1e882e7b6256442bf"},{"introduced":"0"},{"last_affected":"284f22d41bd23c602a14526657f1a3cde2d42bf5"},{"introduced":"0"},{"last_affected":"f974c99f30b1ef9d23792a771ae64f3c851de4a4"},{"introduced":"0"},{"last_affected":"ae23ead4d959aa73a5a0ffada60e4147d679523c"},{"introduced":"0"},{"last_affected":"4c0e7045f97f356716755b47183b22e7f12bb4bf"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"10.4.18"},{"introduced":"11.2.0"},{"fixed":"11.2.9"},{"introduced":"11.3.0"},{"fixed":"11.3.6"},{"introduced":"11.4.0"},{"fixed":"11.4.4"},{"introduced":"11.5.0"},{"fixed":"11.5.4"},{"introduced":"11.6.0"},{"fixed":"11.6.1"},{"introduced":"0"},{"last_affected":"10.4.18-NA"},{"introduced":"0"},{"last_affected":"11.2.9-NA"},{"introduced":"0"},{"last_affected":"11.3.6-NA"},{"introduced":"0"},{"last_affected":"11.4.4-NA"},{"introduced":"0"},{"last_affected":"11.5.4-NA"},{"introduced":"0"},{"last_affected":"11.6.1-NA"},{"introduced":"0"},{"last_affected":"12.0.0-NA"}]}}],"versions":["1.0.0","6.1.6","7.0.0","7.2.1","dupa","list","omgtest","packages@6.3.0-alpha.33","packages@6.3.0-alpha.36","packages@6.3.0-beta.1","pkg/promlib/v0.0.1","pkg/promlib/v0.0.10","pkg/promlib/v0.0.2","pkg/promlib/v0.0.3","pkg/promlib/v0.0.4","pkg/promlib/v0.0.5","pkg/promlib/v0.0.6","pkg/promlib/v0.0.7","pkg/promlib/v0.0.8","pkg/promlib/v0.0.9","pkg/util/xorm/v0.0.1","pull","rrc_fast_12.2.0-17261372546.patch1","rrc_steady_12.2.0-17245430286.patch1","rrc_steady_12.4.0-19174562009.patch4","rrc_steady_13.0.0-22843068776.patch2","test","v0.0.0-cloud","v0.0.0-kmdagger1","v0.0.0-kmdagger2","v0.0.0-kmdagger3","v0.0.0-test","v0.0.0-test.2","v0.0.0-testrgm3","v0.0.0-testrgm4","v0.0.0-testrgm6","v0.0.1-test","v0.0.85-test","v1.0","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.1.0","v1.2.0","v1.3.0","v1.4.0","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.6.0","v1.6.1","v1.7.0","v1.7.0-rc1","v1.8.0","v1.8.0-rc1","v1.8.1","v1.9.0","v1.9.0-rc1","v1.9.1","v10.0.0","v10.0.0-preview","v10.0.1","v10.0.10","v10.0.11","v10.0.12","v10.0.13","v10.0.2","v10.0.3","v10.0.4","v10.0.5","v10.0.6","v10.0.8","v10.0.9","v10.1.0","v10.1.1","v10.1.10","v10.1.2","v10.1.4","v10.1.5","v10.1.6","v10.1.7","v10.1.8","v10.1.9","v10.2.0","v10.2.1","v10.2.2","v10.2.3","v10.2.4","v10.2.5","v10.2.6","v10.2.7","v10.2.8","v10.2.9","v10.3.0","v10.3.1","v10.3.10","v10.3.11","v10.3.12","v10.3.3","v10.3.4","v10.3.5","v10.3.6","v10.3.7","v10.3.8","v10.3.9","v10.4.0","v10.4.1","v10.4.10","v10.4.11","v10.4.12","v10.4.13","v10.4.14","v10.4.15","v10.4.16","v10.4.17","v10.4.17+security-01","v10.4.19","v10.4.19+security-01","v10.4.2","v10.4.3","v10.4.4","v10.4.5","v10.4.6","v10.4.7","v10.4.8","v10.4.9","v11.0.0","v11.0.0-preview","v11.0.1","v11.0.10","v11.0.11","v11.0.2","v11.0.3","v11.0.4","v11.0.5","v11.0.5+security-01","v11.0.6","v11.0.6+security-01","v11.0.7","v11.0.8","v11.0.9","v11.1.0","v11.1.1","v11.1.10","v11.1.11","v11.1.12","v11.1.13","v11.1.2","v11.1.3","v11.1.4","v11.1.5","v11.1.6","v11.1.6+security-01","v11.1.7","v11.1.7+security-01","v11.1.8","v11.1.9","v11.1.999-zserge-test","v11.2.0","v11.2.1","v11.2.1+security-01","v11.2.10","v11.2.10+security-01","v11.2.2","v11.2.2+security-01","v11.2.3","v11.2.3+security-01","v11.2.4","v11.2.5","v11.2.6","v11.2.7","v11.2.8","v11.2.8+security-01","v11.3.0","v11.3.0+security-01","v11.3.1","v11.3.2","v11.3.3","v11.3.4","v11.3.5","v11.3.5+security-01","v11.3.7","v11.3.7+security-01","v11.3.8","v11.3.8+security-01","v11.3.9","v11.4.0","v11.4.1","v11.4.2","v11.4.3","v11.4.3+security-01","v11.4.5","v11.4.5+security-01","v11.4.6","v11.4.6+security-01","v11.4.7","v11.4.8","v11.5.0","v11.5.1","v11.5.10","v11.5.2","v11.5.3","v11.5.3+security-01","v11.5.5","v11.5.5+security-01","v11.5.6","v11.5.6+security-01","v11.5.7","v11.5.8","v11.5.9","v11.6.0","v11.6.0+security-01","v11.6.10","v11.6.10+security-01","v11.6.11","v11.6.12","v11.6.13","v11.6.14","v11.6.14+security-01","v11.6.2","v11.6.2+security-01","v11.6.3","v11.6.3+security-01","v11.6.4","v11.6.5","v11.6.6","v11.6.7","v11.6.8","v11.6.9","v11.6.9+security-01","v12.0.0","v12.0.1","v12.0.1+security-01","v12.0.10","v12.0.2","v12.0.2+security-01","v12.0.3","v12.0.4","v12.0.5","v12.0.6","v12.0.6+security-01","v12.0.7","v12.0.8","v12.0.8+security-01","v12.0.9","v12.1.0","v12.1.1","v12.1.10","v12.1.10+security-01","v12.1.2","v12.1.3","v12.1.3+security-01","v12.1.4","v12.1.5","v12.1.5+security-01","v12.1.6","v12.1.6+security-01","v12.1.7","v12.1.8","v12.1.9","v12.2.0","v12.2.1","v12.2.1+security-01","v12.2.2","v12.2.3","v12.2.3+security-01","v12.2.4","v12.2.4+security-01","v12.2.5","v12.2.6","v12.2.7","v12.2.8","v12.2.8+security-01","v12.3.0","v12.3.1","v12.3.1+security-01","v12.3.2","v12.3.2+security-01","v12.3.3","v12.3.4","v12.3.5","v12.3.6","v12.3.6+security-01","v12.4.0","v12.4.1","v12.4.2","v2.0.0-beta1","v2.0.0-beta3","v2.0.1","v2.0.2","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.5.0","v2.6.0","v2.6.0-beta1","v3.0-beta1","v3.0-beta2","v3.0-beta3","v3.0-beta4","v3.0-beta5","v3.0.0-beta6","v3.0.0-beta7","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.1.0","v3.1.0-beta1","v3.1.1","v3.2.1-test","v4.0.0","v4.0.0-beta1","v4.0.0-beta2","v4.0.1","v4.0.2","v4.1.0","v4.1.0-beta1","v4.1.1","v4.1.2","v4.2.0","v4.2.0-beta1","v4.3.0","v4.3.0-beta1","v4.3.1","v4.3.2","v4.4.0","v4.4.1","v4.4.2","v4.4.3","v4.5.0","v4.5.0-beta1","v4.5.1","v4.5.2","v4.6.0","v4.6.0-beta1","v4.6.0-beta2","v4.6.0-beta3","v4.6.1","v4.6.2","v4.6.3","v4.6.4","v4.6.5","v5.,2.4","v5.0.0","v5.0.0-beta1","v5.0.0-beta2","v5.0.0-beta3","v5.0.0-beta4","v5.0.0-beta5","v5.0.1","v5.0.2","v5.0.3","v5.0.4","v5.1.0","v5.1.0-beta1","v5.1.1","v5.1.2","v5.1.3","v5.1.4","v5.1.5","v5.2.0","v5.2.0-beta1","v5.2.0-beta2","v5.2.0-beta3","v5.2.1","v5.2.2","v5.2.3","v5.2.4","v5.2.5","v5.3.0","v5.3.0-beta1","v5.3.0-beta2","v5.3.0-beta3","v5.3.1","v5.3.2","v5.3.3","v5.3.4","v5.4.0","v5.4.0-beta1","v5.4.1","v5.4.2","v5.4.3","v5.4.4","v5.4.4_private","v5.4.5","v6.0.0","v6.0.0-beta1","v6.0.0-beta2","v6.0.0-beta3","v6.0.1","v6.0.2","v6.1.0","v6.1.0-beta1","v6.1.1","v6.1.2","v6.1.3","v6.1.4","v6.1.6","v6.2.0","v6.2.0-beta1","v6.2.0-beta2","v6.2.1","v6.2.2","v6.2.3","v6.2.4","v6.2.5","v6.3.0","v6.3.0-alpha.30","v6.3.0-beta.0","v6.3.0-beta1","v6.3.0-beta2","v6.3.0-beta3","v6.3.0-beta4","v6.3.1","v6.3.2","v6.3.3","v6.3.4","v6.3.5","v6.3.6","v6.3.7","v6.4.0","v6.4.0-beta1","v6.4.0-beta2","v6.4.1","v6.4.2","v6.4.3","v6.4.4","v6.4.5","v6.5","v6.5.0","v6.5.0-beta1","v6.5.1","v6.5.2","v6.5.3","v6.6.0","v6.6.0-beta1","v6.6.1","v6.6.2","v6.7.0","v6.7.0-beta1","v6.7.1","v6.7.2","v6.7.3","v6.7.4","v6.7.5","v6.7.6","v7.0.0","v7.0.0-beta1","v7.0.0-beta2","v7.0.0-beta3","v7.0.1","v7.0.2","v7.0.3","v7.0.4","v7.0.5","v7.0.6","v7.1.0","v7.1.0-beta1","v7.1.0-beta2","v7.1.0-beta3","v7.1.1","v7.1.2","v7.1.3","v7.1.4","v7.1.5","v7.2.0","v7.2.0-beta1","v7.2.0-beta2","v7.2.1","v7.2.2","v7.2.3","v7.3.0","v7.3.0-beta1","v7.3.0-beta2","v7.3.1","v7.3.10","v7.3.2","v7.3.3","v7.3.4","v7.3.5","v7.3.6","v7.3.7","v7.3.8","v7.4.0","v7.4.0-beta1","v7.4.1","v7.4.2","v7.4.3","v7.4.4","v7.4.5","v7.5.0","v7.5.0-beta1","v7.5.0-beta2","v7.5.1","v7.5.10","v7.5.11","v7.5.12","v7.5.13","v7.5.15","v7.5.16","v7.5.17","v7.5.2","v7.5.3","v7.5.4","v7.5.5","v7.5.6","v7.5.7","v7.5.8","v7.5.9","v8.0.0","v8.0.0-beta1","v8.0.0-beta2","v8.0.0-beta3","v8.0.1","v8.0.2","v8.0.3","v8.0.4","v8.0.5","v8.0.6","v8.0.7","v8.1.0","v8.1.0-beta1","v8.1.0-beta2","v8.1.0-beta3","v8.1.1","v8.1.2","v8.1.3","v8.1.4","v8.1.5","v8.1.6","v8.1.7","v8.1.8","v8.2.0","v8.2.0-beta1","v8.2.0-beta2","v8.2.1","v8.2.2","v8.2.3","v8.2.4","v8.2.5","v8.2.6","v8.2.7","v8.3.0","v8.3.0-beta1","v8.3.0-beta2","v8.3.1","v8.3.10","v8.3.11","v8.3.2","v8.3.3","v8.3.4","v8.3.5","v8.3.6","v8.3.7","v8.4.0","v8.4.0-beta1","v8.4.1","v8.4.10","v8.4.11","v8.4.2","v8.4.3","v8.4.4","v8.4.5","v8.4.6","v8.4.7","v8.5.0","v8.5.0-beta1","v8.5.1","v8.5.10","v8.5.11","v8.5.13","v8.5.14","v8.5.15","v8.5.16","v8.5.2","v8.5.20","v8.5.21","v8.5.22","v8.5.24","v8.5.26","v8.5.27","v8.5.3","v8.5.4","v8.5.5","v8.5.6","v8.5.9","v9.0.0","v9.0.0-beta1","v9.0.0-beta2","v9.0.0-beta3","v9.0.1","v9.0.2","v9.0.3","v9.0.4","v9.0.5","v9.0.6","v9.0.7","v9.0.8","v9.0.9","v9.1.0","v9.1.0-beta1","v9.1.1","v9.1.2","v9.1.3","v9.1.4","v9.1.5","v9.1.6","v9.1.7","v9.1.8","v9.2.0","v9.2.0-279c6c6c7d","v9.2.0-beta1","v9.2.1","v9.2.10","v9.2.13","v9.2.15","v9.2.17","v9.2.18","v9.2.19","v9.2.2","v9.2.20","v9.2.3","v9.2.4","v9.2.5","v9.2.6","v9.2.7","v9.2.8","v9.3.0","v9.3.0-beta1","v9.3.1","v9.3.11","v9.3.13","v9.3.14","v9.3.15","v9.3.16","v9.3.2","v9.3.4","v9.3.6","v9.3.8","v9.4.0","v9.4.0-beta1","v9.4.1","v9.4.10","v9.4.12","v9.4.13","v9.4.14","v9.4.15","v9.4.17","v9.4.2","v9.4.3","v9.4.7","v9.4.9","v9.5.0","v9.5.1","v9.5.10","v9.5.12","v9.5.13","v9.5.14","v9.5.15","v9.5.16","v9.5.17","v9.5.18","v9.5.19","v9.5.2","v9.5.20","v9.5.21","v9.5.3","v9.5.5","v9.5.6","v9.5.7","v9.5.8","v9.5.9","vtest-new-release-pipeline"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-4123.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}