Grafana security update: Medium severity security release for CVE-2025-3415

Today we are releasing security patches for Grafana 12.0.1, 11.6.2, 11.5.5, 11.4.5, 11.3.7, 11.2.10, and 10.4.19. These patch releases contain a fix for CVE-2025-3145, a medium severity vulnerability that exposes DingDing contact points in Grafana Alerting.

• Download Grafana 12.0.1+security-01–public
• Download Grafana 11.6.2+security-01–public
• Download Grafana 11.5.5+security-01–public
• Download Grafana 11.4.5+security-01–public
• Download Grafana 11.3.7+security-01–public
• Download Grafana 11.2.10+security-01–public
• Download Grafana 10.4.19+security-01–public

Grafana Labs customers received patch versions in advance and appropriate patches have been applied to Grafana Cloud. As always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.

H2: DingDing contact points exposed in Grafana Alerting  (CVE-2025-3415 )

H3: Summary

An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight, which we learned about through a bug bounty report. 

The CVSS 3.0 score for this vulnerability is 4.3 (Medium).

H3: Impact

A configured DingDing contact point in Grafana Alerting can be exposed in plain text to Grafana users with Viewer permissions.

H3: Impacted versions

Grafana versions <=12.0.1

H3: Solutions and mitigations

To fully address CVE-2025-3415, please upgrade your Grafana instances.

As an alternative solution, you can either remove any DingDing alerting configuration or revoke any DingDing API keys if you suspect that an unauthorized Viewer might have accessed the DingDing API key. 

H3: Timeline and post-incident review

Here is a detailed incident timeline starting from when we originally introduced the issue. All times are in UTC.

• 2025-04-05 08:08 - Report created
• 2025-04-08 10:08 - Report acknowledged and reproduced
• 2025-04-21 04:01 - Fixes developed internally
• 2025-05-28 15:03 - Private release 
• 2025-06-12 19:26 - Public release for 10.4.19, 11.2.10, 11.3.7 completed. Google Cloud outage on 2025-06-12 interrupts release of other versions.
• 2025-06-13 03:52 - Security patches released for 11.4.5, 11.5.5, 11.6.2, 12.0.1
• 2025-06-13 19:30 - Blog post published 

H2: Reporting security issues

If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.

Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.

You can also read more about our bug bounty program and find out who has made our Security Hall of Fame. 

H2: Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.