Cross-site Scripting (XSS) The advisory has been revoked - it doesn't affect any version of package grafana-loki  (opens in a new tab)


Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
2.59% (85th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RHEL8-GRAFANALOKI-10174481
  • published15 May 2025
  • disclosed15 May 2025

Introduced: 15 May 2025

NewCVE-2025-4123  (opens in a new tab)
CWE-79  (opens in a new tab)

Amendment

The Red Hat security team deemed this advisory irrelevant for RHEL:8.

NVD Description

Note: Versions mentioned in the description apply only to the upstream grafana-loki package and not the grafana-loki package as distributed by RHEL.

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.

The default Content-Security-Policy (CSP) in Grafana will block the XSS though the connect-src directive.