How One Path Traversal in Grafana Unleashed XSS, Open Redirect and SSRF (CVE-2025–4123)
1 min read
Summary
A security vulnerability (CVE-2025-4123) has been discovered in Grafana, the open-source analytics and visualisation platform.
The vulnerability combines client path traversal and open redirect issues, which can lead to a cross-site scripting (XSS) attack and account takeover.
The Grafana frontend fails to properly normalize or sanitize URL paths used for plugin loading and navigation, allowing malicious actors to take advantage of encoded path traversal sequences, backslashes and percent-encoding to break out of the intended directory structure.
This enables the actor to load arbitrary JavaScript and access sensitive information, trigger an open redirect or, as a more serious consequence, perform an XSS attack to deliver malware or steal login credentials.
The vulnerability was discovered by beating security, and the issue has been fixed in version 7.0.1 of Grafana.