CVE-2025-11539 (GCVE-0-2025-11539)

Vulnerability from cvelistv5 – Published: 2025-10-09 07:18 – Updated: 2025-10-10 05:57
VLAI?
Title
Arbitrary Code Execution in Grafana Image Renderer Plugin
Summary
Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process. Instances are vulnerable if: 1. The default token ("authToken") is not changed, or is known to the attacker. 2. The attacker can reach the image renderer endpoint. This issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.
Severity ?
9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
Vendor Product Version
Grafana grafana-image-renderer Affected: 1.0.0 , ≤ 4.0.16 (semver)
Create a notification for this product.
Credits
Callum Carney Wouter ter Maat
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11539",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-09T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-10T03:55:20.910Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "grafana-image-renderer",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThanOrEqual": "4.0.16",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Callum Carney"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Wouter ter Maat"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Grafana Image Renderer is vulnerable to remote code execution due to an\u0026nbsp;\u003cspan style=\"background-color: rgb(249, 249, 251);\"\u003earbitrary file write vulnerability\u003c/span\u003e\u003cspan style=\"background-color: rgb(249, 249, 251);\"\u003e. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eInstances are vulnerable if:\u003cbr\u003e\u003cbr\u003e1. The default token (\"authToken\") is not changed, or is known to the attacker.\u003cbr\u003e2. The attacker can reach the image renderer endpoint.\u003cbr\u003e\u003cp\u003eThis issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.\u003c/p\u003e"
            }
          ],
          "value": "Grafana Image Renderer is vulnerable to remote code execution due to an\u00a0arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process.\n\nInstances are vulnerable if:\n\n1. The default token (\"authToken\") is not changed, or is known to the attacker.\n2. The attacker can reach the image renderer endpoint.\nThis issue affects grafana-image-renderer: from 1.0.0 through 4.0.16."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-253",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-253 Remote Code Inclusion"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-10T05:57:46.542Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2025-11539/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/grafana/grafana-image-renderer/releases/tag/v4.0.17"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Arbitrary Code Execution in Grafana Image Renderer Plugin",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2025-11539",
    "datePublished": "2025-10-09T07:18:15.819Z",
    "dateReserved": "2025-10-09T06:20:49.088Z",
    "dateUpdated": "2025-10-10T05:57:46.542Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-11539\",\"sourceIdentifier\":\"security@grafana.com\",\"published\":\"2025-10-09T08:15:38.813\",\"lastModified\":\"2025-10-09T15:50:04.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grafana Image Renderer is vulnerable to remote code execution due to an\u00a0arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process.\\n\\nInstances are vulnerable if:\\n\\n1. The default token (\\\"authToken\\\") is not changed, or is known to the attacker.\\n2. The attacker can reach the image renderer endpoint.\\nThis issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/grafana/grafana-image-renderer/releases/tag/v4.0.17\",\"source\":\"security@grafana.com\"},{\"url\":\"https://grafana.com/security/security-advisories/cve-2025-11539/\",\"source\":\"security@grafana.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-11539\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-09T15:37:36.874696Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-09T15:39:39.249Z\"}}], \"cna\": {\"title\": \"Arbitrary Code Execution in Grafana Image Renderer Plugin\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Callum Carney\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Wouter ter Maat\"}], \"impacts\": [{\"capecId\": \"CAPEC-253\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-253 Remote Code Inclusion\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Grafana\", \"product\": \"grafana-image-renderer\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.0.16\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2025-11539/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/grafana/grafana-image-renderer/releases/tag/v4.0.17\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grafana Image Renderer is vulnerable to remote code execution due to an\\u00a0arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process.\\n\\nInstances are vulnerable if:\\n\\n1. The default token (\\\"authToken\\\") is not changed, or is known to the attacker.\\n2. The attacker can reach the image renderer endpoint.\\nThis issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Grafana Image Renderer is vulnerable to remote code execution due to an\u0026nbsp;\u003cspan style=\\\"background-color: rgb(249, 249, 251);\\\"\u003earbitrary file write vulnerability\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(249, 249, 251);\\\"\u003e. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eInstances are vulnerable if:\u003cbr\u003e\u003cbr\u003e1. The default token (\\\"authToken\\\") is not changed, or is known to the attacker.\u003cbr\u003e2. The attacker can reach the image renderer endpoint.\u003cbr\u003e\u003cp\u003eThis issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"shortName\": \"GRAFANA\", \"dateUpdated\": \"2025-10-10T05:57:46.542Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-11539\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-10T05:57:46.542Z\", \"dateReserved\": \"2025-10-09T06:20:49.088Z\", \"assignerOrgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"datePublished\": \"2025-10-09T07:18:15.819Z\", \"assignerShortName\": \"GRAFANA\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.