Grafana Labs has released critical security patches addressing two significant vulnerabilities that could allow attackers to redirect users to malicious websites and execute arbitrary JavaScript code.
The company issued fixes for CVE-2025-6023 (high severity) and CVE-2025-6197 (medium severity) across multiple versions of the popular monitoring and observability platform, affecting millions of installations worldwide.
CVE-2025-6023, carrying a CVSS score of 7.6, represents a cross-site scripting (XSS) vulnerability that stems from client path traversal and open redirect issues.
This vulnerability is particularly concerning because it doesn’t require editor permissions to exploit, making it accessible to users with basic viewer access.
When anonymous access is enabled, the vulnerability becomes even more dangerous as it can be triggered without authentication.
The vulnerability affects Grafana’s scripted dashboards functionality, where attackers can craft malicious URLs that redirect users to external websites hosting JavaScript code.
Once redirected, the malicious script executes within the user’s browser context, potentially leading to session hijacking or complete account takeover.
Grafana Cloud users face additional risk due to the absence of a connect-src directive in their Content-Security-Policy, which would normally prevent external JavaScript fetching.
Security researchers from OPSWAT discovered this vulnerability through Grafana’s bug bounty program on June 11, 2025.
The vulnerabilities combines both open redirect and path traversal weaknesses, demonstrating how seemingly separate security issues can compound to create more severe attack vectors.
Grafana Vulnerabilities
CVE-2025-6197, with a CVSS score of 4.2, affects Grafana installations with multiple organizations enabled.
This open redirect vulnerability exploits the organization switching functionality, allowing attackers to redirect users to malicious websites. However, exploitation requires specific conditions:
- The Grafana instance must have multiple organizations configured.
- The targeted user must be a member of both organizations being switched between.
- The attacker must know the organization ID currently being viewed by the victim.
- Users need to have appropriate permissions to switch between organizations.
While Grafana Cloud users are not affected by this particular vulnerability since the platform doesn’t support organizations, on-premises installations with multi-organization setups face potential risk.
The vulnerability was discovered by security researcher Dat Phung on June 17, 2025, also through the bug bounty program.
Mitigations
Grafana Labs has released security patches for versions 12.0.x, 11.6.x, 11.5.x, 11.4.x, and 11.3.x, with all versions 11.5.0 and above being vulnerable to both CVEs.
The company coordinated with cloud providers including Amazon Managed Grafana and Azure Managed Grafana to ensure comprehensive protection across all platforms.
For organizations unable to immediately upgrade, Grafana recommends implementing Content Security Policy configurations as a temporary mitigation.
The suggested CSP template includes specific directives to prevent external script execution and unauthorized connections. Additionally, administrators can block URLs starting with /\ or %2F%5C at the ingress level to prevent exploitation of CVE-2025-6197.
Enterprise customers received advance notification under embargo, while Grafana Cloud was patched seamlessly without service disruption.
The security team maintains transparency through detailed timelines and acknowledgments of the security researchers who reported these vulnerabilities through responsible disclosure practices.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
