One allowed SSRF, the opposite revealed delicate keys
One of many flaws, CVE-2025-8341, lurked in Infinity’s URL allow-list test. By slipping an ‘@’ image right into a crafted URL, attackers may trick Grafana into sending server-side requests (SSRF) to inside endpoints, corresponding to cloud metadata providers, successfully opening a tunnel into in any other case unreachable infrastructure.
“The Infinity plugin permits customers to ship HTTP requests to any URL and customise these requests with headers, parameters, and payloads,” the researchers stated in a weblog put up shared with CSO earlier than its publication on Thursday. “Something earlier than the ‘@’ is handled as credentials (username and password), whereas all the things after it’s interpreted because the precise vacation spot host and path. We crafted a URL that begins with an allowed prefix however really routes to a unique vacation spot.”
The opposite flaw exploited the SQLite plugin’s broad filesystem entry. As a result of Grafana ships with a hardcoded default encryption key in its official Docker picture, any occasion left with that key unchanged could possibly be totally compromised if an attacker accessed the databases. Because it occurs, the entry is supplied by the SQLite plugin, which may connect with any SQLite database file that the Grafana course of can attain, together with Grafana’s personal database file.
