CVE-2025-2703

Vulnerability

CVE-2025-2703 is a DOM-based cross-site scripting (XSS) vulnerability in the built-in XY Chart plugin of Grafana. The flaw arises because user-supplied content within dashboard panel configurations is not properly sanitized before being rendered in the browser [1]. This allows an attacker to inject arbitrary JavaScript code that executes in the context of another user's session when they view the affected dashboard. The vulnerability was introduced in Grafana version 11.1.0 and affects OSS and Enterprise editions [2].

Exploitation

To exploit this vulnerability, an attacker must be an authenticated user with Editor permissions (or higher) on a Grafana instance. The attacker modifies an XY Chart panel on a dashboard, embedding malicious script payloads into the panel's configuration. When other users—including viewers or administrators—open that dashboard, the injected JavaScript executes in their browser session [1]. No additional user interaction beyond viewing the dashboard is required.

Impact

Successful exploitation enables the attacker to perform arbitrary actions within the victim's session, such as exfiltrating session tokens, accessing or modifying data visible to the victim, creating or deleting dashboard resources, and potentially escalating privileges if a privileged user views the compromised dashboard [1]. Given Grafana's widespread use in enterprise monitoring, this could lead to lateral movement within an organization's observability stack.

Mitigation

Grafana released fixes in versions 11.6.0+security-01, 11.5.3+security-01, 11.4.3+security-01, 11.3.5+security-01, and 11.2.8+security-01 [2]. All Grafana deployments should be upgraded to a patched version. As a best practice, dashboard editor permissions should be restricted to trusted users only [1].