One allowed SSRF, the opposite revealed delicate keys
One of many flaws, CVE-2025-8341, lurked in Infinity’s URL allow-list examine. By slipping an ‘@’ image right into a crafted URL, attackers might trick Grafana into sending server-side requests (SSRF) to inner endpoints, resembling cloud metadata providers, successfully opening a tunnel into in any other case unreachable infrastructure.
“The Infinity plugin permits customers to ship HTTP requests to any URL and customise these requests with headers, parameters, and payloads,” the researchers stated in a weblog put up shared with CSO earlier than its publication on Thursday. “Something earlier than the ‘@’ is handled as credentials (username and password), whereas every part after it’s interpreted because the precise vacation spot host and path. We crafted a URL that begins with an allowed prefix however really routes to a special vacation spot.”
The opposite flaw exploited the SQLite plugin’s broad filesystem entry. As a result of Grafana ships with a hardcoded default encryption key in its official Docker picture, any occasion left with that key unchanged might be totally compromised if an attacker accessed the databases. Because it occurs, the entry is supplied by the SQLite plugin, which may hook up with any SQLite database file that the Grafana course of can attain, together with Grafana’s personal database file.
