logo

Database

Reflected cross-site scripting (XSS) In grafana

Description

Grafana has a Cross-site Scripting issue Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.

Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-411172. NVD-2025-411173. OSV-2025-411174. GCVE-2025-41117

References

1. https://github.com/grafana/grafana/commit/4f624a5a01404da45d60063ae1ee2f184818cd422. https://github.com/grafana/grafana/commit/8dfa6446942873d76cd94c63a2d6b71a25e880da3. https://github.com/grafana/grafana/commit/ecff0d88680cea4ad32709cb3b94b790a7f58d254. https://grafana.com/security/security-advisories/CVE-2025-41117

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.