CVE CyberSecurity Database News

CVE-2025-10630 - Grafana-Zabbix Plugin ReDoS Vulnerability Explained (w/ Exploit Example)

Poster -

Grafana is a popular open-source platform used for monitoring and observability. Its flexibility and plugin support make it a staple in system monitoring setups. One powerful plugin, Grafana-Zabbix, bridges Grafana dashboards with the Zabbix monitoring system, letting users visualize and analyze detailed metrics in real time.

But with power comes responsibility. In early 2025, security researchers identified a critical vulnerability, CVE-2025-10630, in the Grafana-Zabbix plugin (up to version 5.2.1). This post will guide you through what happened, how the exploit works (with live code), and how to stay safe.

What Is CVE-2025-10630?

CVE-2025-10630 is a *Regular Expression Denial of Service* (ReDoS) vulnerability found in the Grafana-Zabbix plugin, affecting all versions from 4.. through 5.2.1. If an attacker provides a specially crafted regular expression (regex) query via the plugin's User Interface, the backend can get stuck processing it, causing your server CPU to spike to 100% and effectively DoS (Denial of Service) the Grafana platform.

Grafana Instances: Any Grafana server with the vulnerable plugin.

- Attack Vector: Any user (even those with dashboard edit access) crafting complex or malicious regex queries in the dashboard panels.

Technical Details: Why Does This Happen?

Many Grafana-Zabbix dashboards let users filter, aggregate, or search Zabbix items and hosts using regexes. In affected versions, user-provided regex patterns were passed directly to JavaScript’s RegExp or backend regex engines *without* safeguards or timeouts.

If an attacker provides a regex pattern that's *“catastrophic”*—meaning that processing it takes exponential time—the backend can become unresponsive, eating up server resources.

Example of a Catastrophic Regex Pattern:

^(a+)+$

When you try to match a string like 'aaaaaaaaaaaaaaaaaaaa!' against this regex, it causes a backtracking 'hang', consuming CPU for ages.

Live Exploit Example

Let’s see how such a regex can be abused via the plugin’s data source filters.

Server CPU spikes, Grafana hangs:

Especially if Zabbix has many items, the regex is re-applied repeatedly, magnifying the ReDoS effect.

JavaScript Code Snippet — Simulating the Freezing Regex

const regex = /^(a+)+$/;
const evilInput = 'a'.repeat(25) + '!'; // Large "Evil" String

console.time('ReDoS');
regex.test(evilInput); // This can hang for seconds or minutes!
console.timeEnd('ReDoS');

Run this in Node.js or the browser console—you'll see how long it freezes!

No privilege escalation required: Any user with access to dashboards can attempt this.

- Even “trusted” environments at risk: A mis-typed regex or cut-paste error from power users is enough to accidentally cause trouble.
- Service-wide impact: Once the server is bogged down, other dashboards (even unrelated ones) slow down or crash.

Fix & Mitigation

- Grafana-Zabbix 6.. (and above) now sanitizes incoming regex, limits their complexity, and applies operation timeouts to avoid expensive evaluations.
- Upgrade NOW: Grafana-Zabbix plugin releases

References

- Original CVE Detail: CVE-2025-10630
- Upstream Fix Commit (GitHub)
- Grafana-Zabbix Plugin
- Regular Expression Denial of Service (OWASP)

Conclusion

CVE-2025-10630 serves as yet another warning: user input *must* be sanitized, especially when parsed by complex libraries like regex engines. If you administer Grafana with Zabbix, double-check your plugin versions and update immediately. This “quiet” bug can bring your entire visibility stack to a halt—just by adding a dashboard filter!

Timeline

Published on: 09/19/2025 10:15:34 UTC
Last modified on: 09/24/2025 13:57:31 UTC