One allows SSRF, the other revealed sensitive keys
One of the flaws, Cve-2025-8341The URL permission list of Infinity was checked. By slipping a ‘@’ symbol in a ready-made URL, the attacker can trick the grafana to sending internal closing points, such as cloud metadata services, effectively to open a server-side request (SSRF) at internal closing points for opening a tunnel.
Researchers said, “Infinity plugin allows users to send HTTP requests to any URL and optimize those requests with header, parameters and payloads,” the researchers said. blog post On Thursday, it was shared with the CSO before its publication. Anything before ”@’is considered as credentials (user names and passwords), while everything is then interpreted as the real destination host and path. We prepared a URL that begins with a permitted prefix but actually root for a separate destination. “
Other defects exploited the broad filecistom access to the Sqlite Plugin. Because Grafana ships a hardcode default encryption key in its official doctor image, any example left with that key can be fully compromised if an attacker has reached the database. As it happens, the access is provided by the access sqlite plugin, which can be connected to any SQLite database file that can reach the grafana process, including the Grafana’s own database file.
