CVE-2025-41117 is a reflected cross-site scripting (XSS) vulnerability identified in Grafana's Explore Traces feature specifically when interfacing with datasources that use the Jaeger HTTP API. Grafana versions 12.2.0 and 12.3.0 render stack traces as raw HTML in the browser without proper sanitization, allowing an attacker who can inject malicious JavaScript into the stack trace field to execute arbitrary scripts in the context of the victim's browser. This vulnerability stems from improper output encoding and input validation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack requires the attacker to supply malicious JavaScript within the stack trace data, which then gets rendered and executed when a user views the Explore Traces page. The vulnerability does not affect other Jaeger datasource protocols such as gRPC or Tempo, limiting the scope to Jaeger HTTP API users. The CVSS 3.1 score of 6.8 reflects a network-based attack vector with high impact on confidentiality and integrity, but with high attack complexity and requiring user interaction, as the victim must view the malicious trace data. No public exploits have been reported, but the vulnerability poses a risk of session hijacking, data theft, or other malicious actions via script execution in the victim's browser.

This vulnerability can lead to unauthorized disclosure of sensitive information, session hijacking, or manipulation of the Grafana user interface through malicious JavaScript execution. Organizations relying on Grafana with Jaeger HTTP API datasources are at risk of attackers injecting malicious scripts into stack traces, potentially compromising user accounts and sensitive monitoring data. The impact is particularly significant for organizations that use Grafana for critical infrastructure monitoring, as attackers could leverage this to gain further footholds or disrupt operations. Although exploitation requires user interaction and high attack complexity, the widespread use of Grafana in enterprise environments means the potential attack surface is large. The vulnerability does not affect availability but threatens confidentiality and integrity of data and user sessions.

Organizations should upgrade Grafana to a version where this vulnerability is patched once available. Until patches are released, administrators should restrict access to the Explore Traces feature and limit datasource usage to trusted sources. Input validation and output encoding controls should be enforced on stack trace data to prevent raw HTML rendering. Monitoring and alerting for suspicious trace data inputs can help detect attempted exploitation. Additionally, applying Content Security Policy (CSP) headers can mitigate the impact of XSS by restricting script execution sources. Educating users to avoid interacting with untrusted trace data and disabling or restricting the Jaeger HTTP API datasource where feasible can reduce risk. Regularly reviewing Grafana configurations and logs for anomalies related to trace data injection is also recommended.