{"id":4391,"date":"2025-08-14T14:08:57","date_gmt":"2025-08-14T14:08:57","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4391"},"modified":"2025-08-14T14:08:57","modified_gmt":"2025-08-14T14:08:57","slug":"flaws-in-a-pair-of-grafana-plugins-could-hand-over-devops-control","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4391","title":{"rendered":"Flaws in a pair of Grafana plugins could hand over DevOps control"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Two now-patched critical flaws in Grafana\u2019s plugin architecture could let attackers take full control of an organization\u2019s observability instance.<\/p>\n

Grafana is a widely used DevOps observability platform for visualizing metrics, logs, and traces, and the two plugins in question, SQLite for accessing locally stored data and Infinity for fetching data from remote sources, extend its integration capabilities.<\/p>\n

Researchers at Cycode found that the plugins, which pull data from local and external sources, could expose sensitive credentials and internal cloud infrastructure.<\/p>\n

\u201cExploiting these flaws can quickly turn limited access into total control over a Grafana instance,\u201d Cycode security researcher Elad Pticha<\/a> told CSO. \u201cGiven Grafana\u2019s widespread use and the sensitive production credentials it often holds, such weaknesses could become high-value targets.\u201d<\/p>\n

At fault are a hardcoded default encryption key in one plugin and a bypassable URL allow list in the other, each capable of allowing privilege escalation to Grafana admin on its own.<\/p>\n

The flaws were reported to the respective maintainers \u2014 Grafana Labs<\/a> in the case of Infinity \u2014 and appropriate fixes have since been applied, Pticha added.<\/p>\n

One allowed SSRF, the other revealed sensitive keys<\/h2>\n

One of the flaws, CVE-2025-8341<\/a>, lurked in Infinity\u2019s URL allow-list check. By slipping an \u2018@\u2019 symbol into a crafted URL, attackers could trick Grafana into sending server-side requests (SSRF<\/a>) to internal endpoints, such as cloud metadata services, effectively opening a tunnel into otherwise unreachable infrastructure.<\/p>\n

\u201cThe Infinity plugin allows users to send HTTP requests to any URL and customize those requests with headers, parameters, and payloads,\u201d the researchers said in a blog post<\/a> shared with CSO before its publication on Thursday. \u201cAnything before the \u2018@\u2019 is treated as credentials (username and password), while everything after it is interpreted as the actual destination host and path. We crafted a URL that begins with an allowed prefix but actually routes to a different destination.\u201d<\/p>\n

The other flaw exploited the SQLite plugin\u2019s broad filesystem access. Because Grafana ships with a hardcoded default encryption key in its official Docker image, any instance left with that key unchanged could be fully compromised if an attacker accessed the databases. As it happens, the access is provided by the SQLite plugin, which can connect to any SQLite database file that the Grafana process can reach, including Grafana\u2019s own database file.<\/p>\n

From there, attackers could elevate their own account to admin, pull stored credentials for connected systems, and move laterally into more sensitive environments without tripping alarms.<\/p>\n

<\/a>Flaws addressed, but users must take action<\/h2>\n

Cycode confirmed to CSO that both flaws have now been addressed. The SQLite plugin now features a deny list, GF_PLUGIN_BLOCK_LIST<\/em>, to restrict the plugin from accessing specific files, including Grafana\u2019s own database, grafana.db. The Infinity plugin now properly validates allowed URLs, ensuring it can only interact with explicitly permitted endpoints. Users must configure a strict allow list to limit the plugin\u2019s access to only authorized URLs.<\/p>\n

Users will, however, remain vulnerable if these additional settings aren\u2019t immediately configured. \u201cIt\u2019s difficult to estimate exactly how many Grafana deployments use the default hardcoded encryption key. But in our experience, when a security feature needs to be configured manually, it is usually left unchanged,\u201d noted Pticha.<\/p>\n

Only the flaw affecting Infinity received a CVE, while SQLite, a community-maintained plugin, was fixed by its developer, Sergej Herbert. \u201cBoth the SQLite plugin maintainer and Grafana Labs were highly responsive and great to work with throughout the disclosure process,\u201d Pticha added. <\/p>\n

In an email, Grafana Labs CISO, Joe McManus, shared the following comment:<\/p>\n

\u201cSecurity is a shared responsibility, especially with community-contributed plugins, and we take that responsibility seriously,\u201d he wrote. \u201cAs soon as we were made aware of these vulnerabilities, we worked closely with the researchers to validate the findings, develop fixes, and\u00a0release updated versions<\/a>. Grafana Cloud users are able to opt in to our managed plugins feature (which has been the default for all new instances since late last year) which automatically keeps plugins up to date, reducing the risk of similar issues. We remain committed to strengthening Grafana\u2019s security posture and ensuring our community and customers have the guidance they need to safeguard their observability environments.\u201d<\/p>\n

This is the second time in three months that it has been hit with a critical SSRF flaw; a June 2025 vulnerability exposed 47000 servers<\/a> to potential account takeover.<\/p>\n

Updated with a statement from Grafana.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Two now-patched critical flaws in Grafana\u2019s plugin architecture could let attackers take full control of an organization\u2019s observability instance. Grafana is a widely used DevOps observability platform for visualizing metrics, logs, and traces, and the two plugins in question, SQLite for accessing locally stored data and Infinity for fetching data from remote sources, extend its […]<\/p>\n","protected":false},"author":0,"featured_media":4382,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4391","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4391"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4391"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4391\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4382"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}