Grafana-Zabbix Plugin, Regular Expression Denial of Service (ReDoS), CVE-2025-4321 (Moderate)

Listen to this Post

The vulnerability exists within the Grafana-Zabbix plugin’s data source backend, specifically in the code handling `regex` queries for Zabbix item keys. When a malicious user submits a crafted regular expression pattern containing nested quantifiers and exponential backtracking sequences (e.g., ^(a+)+$), the underlying Go `regexp` package engine processes it inefficiently. This inefficient processing causes the engine to evaluate an exponentially increasing number of path possibilities within the Nondeterministic Finite Automaton (NFA) for the given pattern. Consequently, a single request with a malicious regex can force the CPU into a maximum utilization state for a prolonged period, consuming all available processing resources on a single core and denying service to other legitimate requests by blocking the worker thread.
Platform: Grafana-Zabbix Plugin
Version: < 6.0.0
Vulnerability: ReDoS
Severity: Moderate

date: 2025-09-19

Prediction: 2025-09-26

What Undercode Say:

`curl -s “http://grafana:3000/api/datasources/proxy/1” -H “Content-Type: application/json” -d ‘{“method”:”item.get”,”params”:{“search”:{“key_”:”^(a+)+$”}}}’`

`top -b -n 1 | grep grafana`

`import “regexp”; func main() { _ = regexp.MustCompile(“^(a+)+$”).MatchString(“aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!”) }`

How Exploit:

Craft malicious regex payloads designed for exponential worst-case time complexity and submit them via the plugin’s query interface, targeting the Zabbix data source proxy endpoint to tie up CPU resources.

Protection from this CVE:

Upgrade to plugin version 6.0.0 immediately. Implement WAF rules to filter and block known pathological regex patterns. Enforce query timeouts at the application level.

Impact:

Successful exploitation leads to a full denial of service condition for the affected Grafana instance, rendering it unresponsive to all users by consuming 100% of a CPU core, requiring a process restart to recover.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top