This security advisory from Red Hat addresses two vulnerabilities in the go-git library integrated with Grafana. CVE-2025-21613 is an argument injection vulnerability via the URL field, categorized under CWE-88 (Argument Injection or Modification). CVE-2025-21614 is a denial of service vulnerability caused by maliciously crafted Git server replies, related to CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerabilities affect Red Hat Enterprise Linux 8 and its Extended Life Cycle variants across multiple architectures. Red Hat has published updated Grafana packages (version 9.2.10-21.el8_10) that fix these issues. The advisory is classified as Important, indicating a high security impact but not critical. No CVSS scores are provided, and no exploits in the wild are currently known.

The vulnerabilities could allow an attacker to perform argument injection via the URL field, potentially leading to unintended command execution or manipulation within the go-git client used by Grafana. Additionally, the denial of service vulnerability could cause go-git clients to become unresponsive or crash when interacting with a malicious Git server. These issues could disrupt Grafana's functionality or compromise its reliability. However, no known exploits have been reported in the wild, and the impact is limited to affected versions of Grafana packaged for Red Hat Enterprise Linux 8.

Red Hat has released updated Grafana packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 8 versions should apply the security update to Grafana as provided in the advisory RHSA-2025:0401. Detailed instructions for applying the update are available at https://access.redhat.com/articles/11258. Since this is a traditional software package and not a cloud service, remediation requires applying the vendor-provided update. Patch status is confirmed by the vendor advisory.