Grafana Patches XSS (CVE-2025-6023) and Open Redirect (CVE-2025-6197) Flaws in Recent Security Release
Do Son 
Grafana Labs has released important security patches for multiple versions of its observability platform, addressing two significant vulnerabilities: a high-severity Cross-Site Scripting (XSS) vulnerability tracked as CVE-2025-6023, and a medium-severity open redirect issue tracked as CVE-2025-6197.
The most serious of the two, CVE-2025-6023 (CVSS 7.6), is a cross-site scripting vulnerability caused by a combination of client-side path traversal and open redirect. The flaw allows attackers to inject and execute arbitrary JavaScript code within the context of a victim’s browser via specially crafted dashboard links.
“This allows attackers to redirect users to malicious websites that execute arbitrary JavaScript code in scripted dashboards,” the advisory explains.
Unlike many XSS issues that require elevated permissions, this vulnerability does not require editor rights, making it significantly easier to exploit in environments where anonymous access is enabled.
Further compounding the risk, Grafana Cloud users were impacted due to a missing connect-src directive in the Content Security Policy (CSP), making it possible for an attacker to load malicious external scripts even if the attacker had no direct access to the Grafana instance.
The potential consequences of exploitation include session hijacking, account takeover, and persistent access to sensitive monitoring dashboards.
The second flaw, CVE-2025-6197 (CVSS 4.2), stems from the organization switching functionality within Grafana. An attacker could exploit the redirect mechanism to redirect authenticated users to malicious websites.
“The Grafana instance must have more than one organization and the user being redirected needs to be a member of both,” the advisory notes.
While less critical than the XSS flaw, CVE-2025-6197 could be chained with XSS techniques for more impactful attacks, especially in multi-tenant or enterprise environments.
“This open redirect could be abused to achieve XSS, similar to CVE-2025-6023,” the advisory warns. Notably, Grafana Cloud is not affected by this vulnerability since it does not support multiple organizations.
Both vulnerabilities affect Grafana 11.5.0 and later. Patched versions now available include:
- Grafana 12.0.2+security-01
- Grafana 11.6.3+security-01
- Grafana 11.5.6+security-01
- Grafana 11.4.6+security-01
- Grafana 11.3.8+security-01
For environments where upgrades are not immediately feasible, Grafana recommends:
- Enabling and customizing the Content Security Policy (CSP) to block external scripts:
- Blocking URLs beginning with
/%5Cat the ingress level to mitigate redirect abuse. - Restricting deployments to a single organization where possible to reduce redirect exposure.
Related Posts:
- Grafana Alert: Medium-Severity Flaw (CVE-2025-3415) Exposes DingDing API Keys
- Grafana Arbitrary Read File Vulnerability (CVE-2021-43798) Alert
- Grafana Arbitrary Read File Vulnerability (CVE-2021-43798) Alert
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
