{"id":3562,"date":"2025-06-16T12:13:05","date_gmt":"2025-06-16T12:13:05","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3562"},"modified":"2025-06-16T12:13:05","modified_gmt":"2025-06-16T12:13:05","slug":"grafana-ghost-xss-flaw-exposes-47000-servers-to-account-takeover","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3562","title":{"rendered":"\u2018Grafana Ghost\u2019 XSS flaw exposes 47,000 servers to account takeover"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A newly discovered cross-site scripting (XSS) vulnerability in Grafana \u2014 a widely used open-source analytics and visualization platform for developers \u2014 has put thousands of servers at risk of complete account takeover.<\/p>\n<p>According to an OX Security analysis, the critical vulnerability, dubbed \u201cGrafana Ghost,\u201d exposes unpatched systems to client-side open-redirect and <a href=\"https:\/\/www.csoonline.com\/article\/565192\/what-is-xss-cross-site-scripting-attacks-explained.html?utm=hybrid_search\">cross-site scripting<\/a> attacks.<\/p>\n<p>\u201cThe vulnerability is a chain of exploits, beginning with a malicious link sent to the victim,\u201d OX researchers said in a blog post. \u201cEven Grafana servers not directly connected to the internet are at risk, due to the potential for blind attacks that exploit the same weakness.\u201d<\/p>\n<p>Researchers warned that a compromised Grafana admin account could have serious consequences, including full access to internal metrics and dashboards, control over user accounts, and potential disruption of operations.<\/p>\n<h2 class=\"wp-block-heading\">About 47,000 instances are still at risk<\/h2>\n<p>The security flaw was first discovered in May 2025 by Alvaro Balada in a bug bounty program and was <a href=\"https:\/\/grafana.com\/blog\/2025\/05\/21\/grafana-security-release-high-severity-security-fix-for-cve-2025-4123\/\">disclosed<\/a> by Grafana as a one-day vulnerability.\u00a0<\/p>\n<p>Over a month from then, OX Security reports that 36% of public-facing Grafana instances\u2013individual deployments or installations of Grafana\u2013are still vulnerable. Based on a Shodan query code shared by OX Security, the CSO team verified that the total number of vulnerable instances was 46,867, approximately 35.8% of the 130,861 total active instances the team identified at the time of writing this article.<\/p>\n<p>Even more are likely affected behind firewalls or in segmented networks, according to the <a href=\"https:\/\/www.ox.security\/confirmed-critical-the-grafana-ghost-exposes-36-of-public-facing-instances-to-malicious-account-takeover\/\" target=\"_blank\" rel=\"noopener\">post<\/a>.<\/p>\n<p>\u201cWhile talking about a high percentage of publicly available Grafana servers, the vulnerability also affects Grafana instances running locally by crafting a payload that takes advantage of the locally used domain name and port for the local service,\u201d the researchers added. Working exploits for both public-facing as well as local instances were shared in the post.<\/p>\n<p>According to a Grafana <a href=\"https:\/\/grafana.com\/security\/security-advisories\/cve-2025-4123\/\" target=\"_blank\" rel=\"noopener\">advisory<\/a>, the vulnerability was fixed in v10.4.18+security-01, v11.2.9+security-01, v11.3.6+security-01, v11.4.4+security-01, v11.5.4+security-01, v11.6.1+security-01, and v12.0.0+security-01 versions.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>From open-redirect to plugin-powered takeover<\/h2>\n<p>Based on the PoC shared by OX Security, the exploit leverages a clever combo of client-side path traversal and open-redirect mechanics in Grafana\u2019s staticHandler, the component responsible for serving static files like HTML, CSS, JavaScript, and images from the server to the user\u2019s browser.<\/p>\n<p>A potential attack can have a crafted URL sent to the victim, which takes them to a malicious domain. Once there, users are tricked into loading an unsigned, rogue Grafana plugin without the attacker requiring any editor or admin rights.<\/p>\n<p>Once the plugin loads, it runs attacker-controlled JavaScripts in the victim\u2019s browser, potentially leading to session hijacks, credential theft, creation of admin logins, and modification of dashboards.<\/p>\n<p>Additionally, a server-side request forgery (<a href=\"https:\/\/www.csoonline.com\/article\/3959148\/hackers-attempted-to-steal-aws-credentials-using-ssrf-flaws-within-hosted-sites.html?utm=hybrid_search\">SSRF<\/a>) escalation for full-read abuse is possible. \u201cThis vulnerability does not require editor permissions, and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF,\u201d the Grafana advisory added. Upgrading to fixed Grafana versions is recommended to completely mitigate the issue against N-day attacks.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A newly discovered cross-site scripting (XSS) vulnerability in Grafana \u2014 a widely used open-source analytics and visualization platform for developers \u2014 has put thousands of servers at risk of complete account takeover. According to an OX Security analysis, the critical vulnerability, dubbed \u201cGrafana Ghost,\u201d exposes unpatched systems to client-side open-redirect and cross-site scripting attacks. \u201cThe [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3563,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3562","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3562"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3562"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3562\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3563"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}