CVE-2025-11539

CVE-2025-11539 is a remote code execution vulnerability in Grafana Image Renderer, stemming from an arbitrary file write flaw in the /render/csv endpoint. This endpoint failed to validate the filePath parameter, enabling an attacker to save a malicious shared object to an arbitrary location on the filesystem, which is subsequently loaded by the underlying Chromium process. The issue affects versions of grafana-image-renderer from 1.0.0 through 4.0.16 and has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), mapped to CWE-94 (Improper Control of Generation of Code).

An attacker with low privileges (PR:L) can exploit this vulnerability over the network if they know or guess the authentication token—such as the unchanged default "authToken"—and have reachability to the image renderer endpoint. Successful exploitation allows arbitrary code execution within the context of the Chromium process, potentially leading to full compromise of the host system with high confidentiality, integrity, and availability impacts due to the elevated scope (S:C).

Grafana has addressed this vulnerability in the release of grafana-image-renderer v4.0.17, as detailed in the project's GitHub release notes and the official security advisory at grafana.com/security/security-advisories/cve-2025-11539/. Security practitioners should prioritize upgrading to v4.0.17 or later and ensure the authToken is customized and protected to mitigate exploitation risk.