Platform
grafana
Component
grafana-image-renderer
Fixed in
4.0.17
CVE-2025-11539 describes a critical remote code execution (RCE) vulnerability affecting Grafana Image Renderer versions 1.0.0 through 4.0.16. This flaw allows attackers to execute arbitrary code by manipulating file paths within the /render/csv endpoint. The vulnerability stems from insufficient validation of the filePath parameter, enabling malicious file writes. A fix is available in version 4.0.17.
The impact of CVE-2025-11539 is severe. Successful exploitation allows an attacker to execute arbitrary code on the server hosting the Grafana Image Renderer. This could lead to complete system compromise, data exfiltration, and denial of service. The attacker needs to be able to reach the /render/csv endpoint and bypass authentication, typically by leveraging the default 'authToken' or obtaining valid credentials. The ability to write shared objects and have them loaded by the Chromium process significantly elevates the risk, as it bypasses typical sandboxing protections. This vulnerability shares similarities with other file write vulnerabilities where attackers leverage process loading mechanisms to achieve code execution.
CVE-2025-11539 was publicly disclosed on 2025-10-09. The CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) code has been released, but the vulnerability's ease of exploitation suggests it is likely to be targeted. It is not currently listed on CISA KEV. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-11539 is to upgrade Grafana Image Renderer to version 4.0.17 or later. If immediate upgrading is not possible, consider restricting access to the /render/csv endpoint using a web application firewall (WAF) or proxy. Implement strict authentication controls and immediately change the default 'authToken' to a strong, unique value. Monitor Grafana Image Renderer logs for suspicious file write attempts, particularly those targeting unusual locations. While a direct detection signature is difficult to create, monitoring for the creation of shared object files in unexpected directories could be a useful indicator.
Update the Grafana Image Renderer plugin to version 4.0.17 or higher. If you cannot update immediately, change the default authentication token ("authToken") and ensure that the image renderer endpoint is not accessible to attackers.Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-11539 is a critical remote code execution vulnerability in Grafana Image Renderer versions 1.0.0–4.0.16, allowing attackers to execute arbitrary code through file write manipulation.
You are affected if you are running Grafana Image Renderer versions 1.0.0 through 4.0.16 and have not changed the default authentication token or restricted access to the /render/csv endpoint.
Upgrade Grafana Image Renderer to version 4.0.17 or later. As a temporary workaround, restrict access to the /render/csv endpoint and change the default authentication token.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted. Monitor security advisories for updates.
Refer to the official Grafana security advisory for CVE-2025-11539 on the Grafana website (https://grafana.com/security/advisories).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.