Arbitrary Code Execution in Grafana Image Renderer Plugin
traduction en cours…Plateforme
grafana
Composant
grafana-image-renderer
Corrigé dans
4.0.17
CVE-2025-11539 describes a critical remote code execution (RCE) vulnerability affecting Grafana Image Renderer versions 1.0.0 through 4.0.16. This flaw allows attackers to execute arbitrary code by manipulating file paths within the /render/csv endpoint. The vulnerability stems from insufficient validation of the filePath parameter, enabling malicious file writes. A fix is available in version 4.0.17.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of CVE-2025-11539 is severe. Successful exploitation allows an attacker to execute arbitrary code on the server hosting the Grafana Image Renderer. This could lead to complete system compromise, data exfiltration, and denial of service. The attacker needs to be able to reach the /render/csv endpoint and bypass authentication, typically by leveraging the default 'authToken' or obtaining valid credentials. The ability to write shared objects and have them loaded by the Chromium process significantly elevates the risk, as it bypasses typical sandboxing protections. This vulnerability shares similarities with other file write vulnerabilities where attackers leverage process loading mechanisms to achieve code execution.
Contexte d'Exploitationtraduction en cours…
CVE-2025-11539 was publicly disclosed on 2025-10-09. The CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) code has been released, but the vulnerability's ease of exploitation suggests it is likely to be targeted. It is not currently listed on CISA KEV. Monitor security advisories and threat intelligence feeds for updates.
Qui Est à Risquetraduction en cours…
Organizations using Grafana Image Renderer in production environments, particularly those that have not changed the default authentication token or have exposed the Image Renderer endpoint to untrusted networks, are at significant risk. Shared hosting environments where multiple users share the same Grafana instance are also particularly vulnerable.
Étapes de Détectiontraduction en cours…
• linux / server:
find / -name '*.so' -type f -mtime -7 -ls• generic web:
curl -I <grafana_image_renderer_url>/render/csv• grafana: Review Grafana Image Renderer logs for unusual file write attempts, particularly to directories outside of the expected data storage location.
Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.30% (percentile 53%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-11539 is to upgrade Grafana Image Renderer to version 4.0.17 or later. If immediate upgrading is not possible, consider restricting access to the /render/csv endpoint using a web application firewall (WAF) or proxy. Implement strict authentication controls and immediately change the default 'authToken' to a strong, unique value. Monitor Grafana Image Renderer logs for suspicious file write attempts, particularly those targeting unusual locations. While a direct detection signature is difficult to create, monitoring for the creation of shared object files in unexpected directories could be a useful indicator.
Comment corrigertraduction en cours…
Actualice el plugin Grafana Image Renderer a la versión 4.0.17 o superior. Si no puede actualizar inmediatamente, cambie el token de autenticación predeterminado ("authToken") y asegúrese de que el endpoint del renderizador de imágenes no sea accesible para atacantes.Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-11539 — RCE in Grafana Image Renderer?
CVE-2025-11539 is a critical remote code execution vulnerability in Grafana Image Renderer versions 1.0.0–4.0.16, allowing attackers to execute arbitrary code through file write manipulation.
Am I affected by CVE-2025-11539 in Grafana Image Renderer?
You are affected if you are running Grafana Image Renderer versions 1.0.0 through 4.0.16 and have not changed the default authentication token or restricted access to the /render/csv endpoint.
How do I fix CVE-2025-11539 in Grafana Image Renderer?
Upgrade Grafana Image Renderer to version 4.0.17 or later. As a temporary workaround, restrict access to the /render/csv endpoint and change the default authentication token.
Is CVE-2025-11539 being actively exploited?
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted. Monitor security advisories for updates.
Where can I find the official Grafana advisory for CVE-2025-11539?
Refer to the official Grafana security advisory for CVE-2025-11539 on the Grafana website (https://grafana.com/security/advisories).
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.