Plateforme
grafana
Composant
grafana-image-renderer
Corrigé dans
4.0.17
CVE-2025-11539 describes a critical remote code execution (RCE) vulnerability affecting Grafana Image Renderer versions 1.0.0 through 4.0.16. This flaw allows attackers to execute arbitrary code by manipulating file paths within the /render/csv endpoint. The vulnerability stems from insufficient validation of the filePath parameter, enabling malicious file writes. A fix is available in version 4.0.17.
The impact of CVE-2025-11539 is severe. Successful exploitation allows an attacker to execute arbitrary code on the server hosting the Grafana Image Renderer. This could lead to complete system compromise, data exfiltration, and denial of service. The attacker needs to be able to reach the /render/csv endpoint and bypass authentication, typically by leveraging the default 'authToken' or obtaining valid credentials. The ability to write shared objects and have them loaded by the Chromium process significantly elevates the risk, as it bypasses typical sandboxing protections. This vulnerability shares similarities with other file write vulnerabilities where attackers leverage process loading mechanisms to achieve code execution.
CVE-2025-11539 was publicly disclosed on 2025-10-09. The CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) code has been released, but the vulnerability's ease of exploitation suggests it is likely to be targeted. It is not currently listed on CISA KEV. Monitor security advisories and threat intelligence feeds for updates.
Organizations using Grafana Image Renderer in production environments, particularly those that have not changed the default authentication token or have exposed the Image Renderer endpoint to untrusted networks, are at significant risk. Shared hosting environments where multiple users share the same Grafana instance are also particularly vulnerable.
• linux / server:
find / -name '*.so' -type f -mtime -7 -ls• generic web:
curl -I <grafana_image_renderer_url>/render/csv• grafana: Review Grafana Image Renderer logs for unusual file write attempts, particularly to directories outside of the expected data storage location.
disclosure
Statut de l'Exploit
EPSS
0.30% (percentile 53%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-11539 is to upgrade Grafana Image Renderer to version 4.0.17 or later. If immediate upgrading is not possible, consider restricting access to the /render/csv endpoint using a web application firewall (WAF) or proxy. Implement strict authentication controls and immediately change the default 'authToken' to a strong, unique value. Monitor Grafana Image Renderer logs for suspicious file write attempts, particularly those targeting unusual locations. While a direct detection signature is difficult to create, monitoring for the creation of shared object files in unexpected directories could be a useful indicator.
Actualice el plugin Grafana Image Renderer a la versión 4.0.17 o superior. Si no puede actualizar inmediatamente, cambie el token de autenticación predeterminado ("authToken") y asegúrese de que el endpoint del renderizador de imágenes no sea accesible para atacantes.Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-11539 is a critical remote code execution vulnerability in Grafana Image Renderer versions 1.0.0–4.0.16, allowing attackers to execute arbitrary code through file write manipulation.
You are affected if you are running Grafana Image Renderer versions 1.0.0 through 4.0.16 and have not changed the default authentication token or restricted access to the /render/csv endpoint.
Upgrade Grafana Image Renderer to version 4.0.17 or later. As a temporary workaround, restrict access to the /render/csv endpoint and change the default authentication token.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted. Monitor security advisories for updates.
Refer to the official Grafana security advisory for CVE-2025-11539 on the Grafana website (https://grafana.com/security/advisories).
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.