CVE-2025-6023: Grafana is vulnerable to XSS attacks through open redirects and path traversal
(updated )
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.
The open redirect can be chained with path traversal vulnerabilities to achieve XSS.
Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01
References
- github.com/advisories/GHSA-vqph-p5vc-g644
- github.com/grafana/grafana
- github.com/grafana/grafana/commit/0ba0b99665a946cd96676ef85ec8bc83028cb1d7
- github.com/grafana/grafana/commit/40ed88fe86d347bcde5ddaed6c4a20a95d2f0d55
- github.com/grafana/grafana/commit/5b00e21638f565eed46acb4d0b7c009968df4c3b
- github.com/grafana/grafana/commit/b6dd2b70c655c61b111b328f1a7dcca6b3954936
- github.com/grafana/grafana/commit/e0ba4b480954f8a33aa2cff3229f6bcc05777bd9
- grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023
- grafana.com/security/security-advisories/cve-2025-6023
- nvd.nist.gov/vuln/detail/CVE-2025-6023
Code Behaviors & Features
Detect and mitigate CVE-2025-6023 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →