Arbitrary Code Execution in Grafana Image Renderer Plugin
wordt vertaald…Platform
grafana
Component
grafana-image-renderer
Opgelost in
4.0.17
CVE-2025-11539 describes a critical remote code execution (RCE) vulnerability affecting Grafana Image Renderer versions 1.0.0 through 4.0.16. This flaw allows attackers to execute arbitrary code by manipulating file paths within the /render/csv endpoint. The vulnerability stems from insufficient validation of the filePath parameter, enabling malicious file writes. A fix is available in version 4.0.17.
Impact en Aanvalsscenarioswordt vertaald…
The impact of CVE-2025-11539 is severe. Successful exploitation allows an attacker to execute arbitrary code on the server hosting the Grafana Image Renderer. This could lead to complete system compromise, data exfiltration, and denial of service. The attacker needs to be able to reach the /render/csv endpoint and bypass authentication, typically by leveraging the default 'authToken' or obtaining valid credentials. The ability to write shared objects and have them loaded by the Chromium process significantly elevates the risk, as it bypasses typical sandboxing protections. This vulnerability shares similarities with other file write vulnerabilities where attackers leverage process loading mechanisms to achieve code execution.
Uitbuitingscontextwordt vertaald…
CVE-2025-11539 was publicly disclosed on 2025-10-09. The CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) code has been released, but the vulnerability's ease of exploitation suggests it is likely to be targeted. It is not currently listed on CISA KEV. Monitor security advisories and threat intelligence feeds for updates.
Wie Loopt Risicowordt vertaald…
Organizations using Grafana Image Renderer in production environments, particularly those that have not changed the default authentication token or have exposed the Image Renderer endpoint to untrusted networks, are at significant risk. Shared hosting environments where multiple users share the same Grafana instance are also particularly vulnerable.
Detectiestappenwordt vertaald…
• linux / server:
find / -name '*.so' -type f -mtime -7 -ls• generic web:
curl -I <grafana_image_renderer_url>/render/csv• grafana: Review Grafana Image Renderer logs for unusual file write attempts, particularly to directories outside of the expected data storage location.
Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.30% (53% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-11539 is to upgrade Grafana Image Renderer to version 4.0.17 or later. If immediate upgrading is not possible, consider restricting access to the /render/csv endpoint using a web application firewall (WAF) or proxy. Implement strict authentication controls and immediately change the default 'authToken' to a strong, unique value. Monitor Grafana Image Renderer logs for suspicious file write attempts, particularly those targeting unusual locations. While a direct detection signature is difficult to create, monitoring for the creation of shared object files in unexpected directories could be a useful indicator.
Hoe te verhelpenwordt vertaald…
Actualice el plugin Grafana Image Renderer a la versión 4.0.17 o superior. Si no puede actualizar inmediatamente, cambie el token de autenticación predeterminado ("authToken") y asegúrese de que el endpoint del renderizador de imágenes no sea accesible para atacantes.CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-11539 — RCE in Grafana Image Renderer?
CVE-2025-11539 is a critical remote code execution vulnerability in Grafana Image Renderer versions 1.0.0–4.0.16, allowing attackers to execute arbitrary code through file write manipulation.
Am I affected by CVE-2025-11539 in Grafana Image Renderer?
You are affected if you are running Grafana Image Renderer versions 1.0.0 through 4.0.16 and have not changed the default authentication token or restricted access to the /render/csv endpoint.
How do I fix CVE-2025-11539 in Grafana Image Renderer?
Upgrade Grafana Image Renderer to version 4.0.17 or later. As a temporary workaround, restrict access to the /render/csv endpoint and change the default authentication token.
Is CVE-2025-11539 being actively exploited?
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted. Monitor security advisories for updates.
Where can I find the official Grafana advisory for CVE-2025-11539?
Refer to the official Grafana security advisory for CVE-2025-11539 on the Grafana website (https://grafana.com/security/advisories).
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.