CVE-2025-41117 is a vulnerability identified in Grafana versions 12.2.0 and 12.3.0 that affects the Explore Traces feature when used with datasources leveraging the Jaeger HTTP API. The core issue lies in the way stack traces are rendered: they are displayed as raw HTML without proper sanitization, allowing malicious JavaScript code embedded within the stack trace field to execute in the user's browser. This constitutes a cross-site scripting (XSS) vulnerability. The attack vector requires an attacker to inject JavaScript into the stack trace data, which is then rendered in the Explore Traces view. Notably, this vulnerability does not affect Jaeger gRPC or Tempo datasources, limiting the scope to Jaeger HTTP API users. The CVSS v3.1 score is 6.8, reflecting a medium severity due to network attack vector, high impact on confidentiality and integrity, but requiring user interaction and high attack complexity. No known exploits have been reported in the wild, indicating limited active exploitation at this time. The vulnerability could allow attackers to steal session tokens, perform actions on behalf of users, or conduct phishing attacks within the Grafana interface. Since Grafana is widely used for monitoring and observability, the compromise of its interface could lead to significant information disclosure and manipulation risks.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of monitoring data and user sessions within Grafana dashboards. Attackers exploiting this XSS flaw could hijack user sessions, steal sensitive monitoring data, or execute malicious actions within the Grafana environment. This is particularly critical for organizations relying on Grafana for infrastructure monitoring, application performance, and security analytics, as compromised dashboards could lead to misinformation or unauthorized access to operational insights. The impact is heightened in sectors with stringent data protection requirements such as finance, healthcare, and critical infrastructure. Additionally, since the vulnerability requires user interaction, social engineering or phishing campaigns could be used to lure users into triggering the malicious payload. The lack of impact on availability reduces the risk of service disruption but does not diminish the threat to data confidentiality and integrity.

European organizations should immediately assess their use of Grafana versions 12.2.0 and 12.3.0 with Jaeger HTTP API datasources. Mitigation steps include: 1) Upgrading Grafana to a version where this vulnerability is patched once available; 2) If immediate patching is not possible, restrict access to the Explore Traces view or disable it for users who do not require it; 3) Implement strict input validation and sanitization on stack trace data before rendering, possibly through custom middleware or proxy solutions; 4) Educate users about the risks of interacting with untrusted stack trace data and encourage cautious behavior; 5) Monitor Grafana logs and network traffic for suspicious activity indicative of attempted exploitation; 6) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the Grafana web interface; 7) Limit Grafana access to trusted networks and enforce strong authentication and session management controls to reduce the attack surface.