CVE-2025-11539 | THREATINT

Description

Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process. Instances are vulnerable if: 1. The default token ("authToken") is not changed, or is known to the attacker. 2. The attacker can reach the image renderer endpoint. This issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.

PUBLISHED Reserved 2025-10-09 | Published 2025-10-09 | Updated 2025-10-10 | Assigner GRAFANA

CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status

affected

1.0.0

affected

Credits

Callum Carney finder

Wouter ter Maat finder

References

grafana.com/security/security-advisories/cve-2025-11539/ vendor-advisory

github.com/...na/grafana-image-renderer/releases/tag/v4.0.17 patch

cve.org (CVE-2025-11539)

nvd.nist.gov (CVE-2025-11539)

Download JSON