CVE-2025-41117 is a stored cross-site scripting (XSS) vulnerability identified in Grafana's Explore Traces feature specifically when interfacing with datasources that use the Jaeger HTTP API. The vulnerability arises because stack traces are rendered as raw HTML without proper sanitization, allowing an attacker to inject malicious JavaScript code into the stack trace fields. When a user views the affected trace in the Grafana UI, the malicious script executes in their browser context, potentially leading to session hijacking, data theft, or unauthorized actions within the Grafana environment. This issue is limited to Grafana versions 12.2.0 and 12.3.0 and does not affect other Jaeger datasource protocols such as gRPC or Tempo. Exploitation requires an attacker to insert malicious JavaScript into the stack trace data, which then requires a user to interact with the Explore Traces view to trigger the payload. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.8, reflecting a network attack vector, high attack complexity, no privileges required, user interaction needed, and high impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, and no official patches are linked at this time. The vulnerability was reserved in April 2025 and published in February 2026.

This vulnerability can lead to unauthorized execution of JavaScript in the context of the Grafana web application, compromising the confidentiality and integrity of data displayed or managed through Grafana. Attackers could steal session cookies, perform actions on behalf of authenticated users, or exfiltrate sensitive monitoring and tracing data. Since Grafana is widely used for observability and monitoring in enterprise environments, exploitation could expose critical infrastructure insights or credentials. The requirement for user interaction and the need for malicious input in stack traces somewhat limit the attack surface, but targeted attacks against organizations using the Jaeger HTTP API datasource remain a concern. The lack of impact on availability reduces the risk of denial-of-service scenarios. Overall, the vulnerability poses a moderate risk to organizations relying on affected Grafana versions for trace visualization, especially those with high-value telemetry data.

Organizations should upgrade Grafana to versions beyond 12.3.0 once patches become available to fully remediate the vulnerability. Until patches are released, administrators should restrict access to the Explore Traces view and limit datasource usage to those not using the Jaeger HTTP API, such as Jaeger gRPC or Tempo. Input validation or sanitization on stack trace data before rendering should be implemented if possible. Employ Content Security Policy (CSP) headers to restrict script execution and reduce the impact of XSS attacks. Monitor logs for suspicious stack trace entries containing script tags or unusual payloads. Educate users to avoid interacting with untrusted or suspicious trace data. Additionally, consider isolating Grafana instances or using network segmentation to limit exposure. Regularly review Grafana configurations and datasource integrations to minimize attack vectors.