Introduction
Attackers can achieve remote code execution on vulnerable Grafana deployments by exploiting a flaw in the Image Renderer plugin's file handling. This vulnerability impacts a core component used for dashboard rendering and alerting in many enterprise environments, making rapid remediation essential.
Grafana is a leading open source platform for data visualization and monitoring, with millions of users and a broad ecosystem of plugins and integrations. The Image Renderer plugin enables rendering of dashboards and panels as images, supporting alerting, reporting, and PDF export features. Its wide deployment and integration with critical monitoring workflows amplify the impact of security flaws in this component.
Technical Information
CVE-2025-11539 arises from improper validation of the filePath parameter in the /render/csv endpoint of the Grafana Image Renderer plugin. The endpoint is designed to accept a file path for temporary storage of rendered output. Due to missing validation and sanitization, an attacker can supply arbitrary paths, including those outside the intended directory structure.
This allows a remote attacker to write a malicious shared object (.so file) to a location on disk that will be loaded by the Chromium process used for rendering. When Chromium starts, it loads shared objects from predictable locations. If an attacker can place a crafted shared object in one of these locations, they can execute arbitrary code with the privileges of the rendering service.
Exploitation requires:
- The default authentication token (
authToken) is unchanged or known to the attacker - The attacker has network access to the image renderer endpoint
This vulnerability affects all deployments of grafana-image-renderer from version 1.0.0 through 4.0.16. It is categorized under CWE-94 (Code Injection).
Patch Information
To address the arbitrary code execution vulnerability in the Grafana Image Renderer plugin, the development team has released version 3.0.1. This update includes a critical fix that enhances the plugin's security by implementing stricter input validation and sanitization processes. By ensuring that all incoming data is properly validated and sanitized, the patch effectively mitigates the risk of malicious code execution. Users are strongly advised to upgrade to this latest version to secure their systems against potential exploits.
Patch source: https://grafana.com/security/security-advisories/cve-2025-11539/
Affected Systems and Versions
- Product: Grafana Image Renderer plugin
- Affected versions: 1.0.0 through 4.0.16
- Vulnerable configurations: Instances where the default authToken is unchanged or known, and the image renderer endpoint is network-accessible
Vendor Security History
Grafana Labs has previously addressed critical vulnerabilities in the Image Renderer plugin, including issues related to Chromium and dependency management. The vendor typically releases security patches within days of disclosure and maintains a public security advisory process. Grafana's security history includes multiple advisories for remote code execution and dependency vulnerabilities, reflecting the complexity of maintaining secure rendering capabilities.