CVE-2025-8341
MEDIUMGrafana Infinity Datasource <= 3.4.1 - URL Allowlist Bypass Server-Side Request Forgery
Title source: manualDescription
Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints. If the plugin was configured to allow only certain URLs, an attacker could bypass this restriction using a specially crafted URL. This vulnerability is fixed in version 3.4.1.
References (2)
Core 2
Core References
Various Sources vendor-advisory
https://grafana.com/security/security-advisories/cve-2025-8341/
Release Notes patch
https://github.com/grafana/grafana-infinity-datasource/releases/tag/v3.4.1
Scores
CVSS v3
5.0
EPSS
0.0028
EPSS Percentile
19.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
grafana/grafana-infinity-datasource
0 - 1.4.2-0.20250731100004-9c736aa21b3aGo
Grafana/grafana-infinity-datasource
0.6.0 - 3.4.1
Published
Aug 04, 2025
Tracked Since
Feb 18, 2026