Introduction

A critical client-side open redirect vulnerability [2] [4] [10], identified as CVE-2025-4123 and known as “the Grafana Ghost,” presents a substantial risk of account takeover for over 46,000 Grafana instances exposed to the internet. This vulnerability, discovered by bug bounty hunter Alvaro Balada in May 2025, remains unpatched in over one-third of these deployments, posing a significant threat to user accounts and sensitive data.

Description

A serious client-side open redirect vulnerability [2] [4] [10], tracked as CVE-2025-4123 and dubbed “the Grafana Ghost,” poses a significant risk of account takeover for over 46,000 internet-facing Grafana instances, with analysis revealing that more than one-third of these deployments remain unpatched. Discovered by bug bounty hunter Alvaro Balada in May 2025 and addressed in a security update released on May 21 [10], this high-severity vulnerability allows the execution of malicious plugins [2], jeopardizing user sessions and account credentials [4] [9]. It can lead to stored cross-site scripting (XSS) attacks [7], enabling attackers to deceive logged-in users into loading harmful plugins from attacker-controlled servers [9]. This exploitation can result in session hijacking, unauthorized changes to account credentials, and [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], if the Grafana Image Renderer plugin is present [5] [7] [9] [10], server-side request forgery (SSRF) against internal services [7] [9] [10].

The vulnerability exploits a combination of client-side path traversal and open-redirect behavior [3] [8] [9], specifically targeting Grafana’s static file handling system within the pkg/api/static/static.go source code [11]. Attackers can manipulate the ctx.Req.URL.Path parameter, leading to an open redirect that allows the injection of harmful JavaScript modules through specially crafted URLs. When a victim clicks on a malicious link, Grafana loads the external plugin, which can execute arbitrary code [6], enabling attackers to change the victim’s Grafana username and email address to their own [5] [6]. This capability facilitates full account takeover through password reset procedures.

The impact of this vulnerability is particularly severe due to the critical role Grafana dashboards play in observability pipelines, often connected to sensitive backend data sources such as Prometheus and cloud metrics [7]. A compromised Grafana administrator account can expose credentials and cloud API keys [7], facilitating further attacks within production environments [7]. Importantly, the vulnerability does not require elevated privileges or authentication [8] [10], making it easier for attackers to exploit, especially in environments with anonymous access enabled—a common default setting in many Grafana deployments [1]. While Grafana’s Content Security Policy (CSP) offers limited protection [1] [2] [10], it is insufficient to prevent exploitation due to limitations in client-side enforcement [10], allowing attackers to bypass modern browser routing logic and URL normalization.

Indicators of exploitation include unexpected outbound requests to external domains under the /public/plugins/ path [7], browser console logs showing unknown plugin IDs [7], and audit logs reflecting user-profile email changes followed by password resets [7]. In environments utilizing the Image Renderer [7], there may be requests to internal metadata URLs such as AWS IMDS [7]. Although active exploitation cannot be confirmed [7], interest in CVE-2025-4123 has surged following recent disclosures [7], likely leading to increased scanning for vulnerable paths [7]. The simplicity of the attack vector [7], which requires user interaction and an active session but no credentials, makes it a prime candidate for inclusion in red-team toolkits and opportunistic attack chains [7].

Conclusion

The Grafana Ghost vulnerability underscores the critical need for organizations to promptly update their systems to patched versions, including 10.4.18+security-01, 11.2.9+security-01, 11.3.6+security-01, 11.4.4+security-01, 11.5.4+security-01, 11.6.1+security-01 [3] [9] [10] [11], and 12.0.0+security-01 [3] [6] [9] [10] [11]. Given Grafana’s integral role in IT monitoring and DevOps environments, this vulnerability poses significant risks to organizational security and operational continuity [11]. Organizations should audit their Grafana configurations, tighten plugin policies [7], and review session management and plugin permissions to mitigate this risk effectively [1]. The potential for widespread exploitation highlights the importance of proactive security measures and continuous monitoring to safeguard against emerging threats.

References

[1] https://dailysecurityreview.com/security-spotlight/over-46000-grafana-instances-still-vulnerable-to-grafana-ghost-account-takeover-bug/
[2] https://www.techbooky.com/over-46000-grafana-instances-vulnerable-to-account-takeover/
[3] https://www.csoonline.com/article/4007522/grafana-ghost-xss-flaw-exposes-47000-servers-to-account-takeover.html
[4] https://blog.rankiteo.com/gra600061525-grafana-labs-vulnerability-june-2025/
[5] https://www.infosecurity-magazine.com/news/over-third-grafana-instances/
[6] https://socprime.com/blog/cve-2025-4123-vulnerability-in-grafana/
[7] https://op-c.net/blog/grafana-xss-cve-2025-4123-vulnerability/
[8] https://www.hendryadrian.com/over-46000-grafana-instances-exposed-to-account-takeover-bug/
[9] https://clickcontrol.com/cyber-threat/46000-grafana-servers-at-risk-ghost-bug-enables-complete-account-takeover/
[10] https://news.lavx.hu/article/critical-grafana-vulnerability-exposes-46000-instances-to-account-takeover
[11] https://cybersecuritynews.com/grafana-account-takeover-attacks/