[Grafana library vulnerability] : Vulnerability in Grafana's DOMPurify Library (Version 2.3.1) Found in 1460.3c4e7eda72470dc619a2.js

[KiranNT79]

What happened?

We have Grafana deployed on our Kubernetes cluster. During a vulnerability scan, we identified that one of the JavaScript files (public/build/1460.3c4e7eda72470dc619a2.js) contains an outdated library, DOMPurify 2.3.1.

This version of DOMPurify (2.3.1) has known vulnerabilities, including issues like tampering through prototype pollution and nesting-based mXSS (Malicious Cross-Site Scripting).

We are considering creating a Kubernetes job that runs a shell script to update this specific JavaScript file. The process would involve:

Downloading the updated purify.min.js file with the latest version (3.1.4).
Replacing the DOMPurify 2.3.1 code in the 1460.3c4e7eda72470dc619a2.js file with the updated DOMPurify 3.1.4 code.
However, we are unsure if this solution will work, as all JavaScript files inside the build folder are generated dynamically at Grafana runtime. Any manual changes to a library version in these files could potentially affect Grafana's functionality or introduce further issues.

Even in the latest Grafana Docker image (11.4.0-ubuntu), we found the same vulnerable library inside the 1460.3c4e7eda72470dc619a2.js file.

We need guidance on how to mitigate this vulnerability effectively without causing disruptions to Grafana.

Please refer to the attached vulnerability scan report for additional details.

What did you expect to happen?

We expected Grafana to include an updated version of the DOMPurify library (3.1.4 or later) in its JavaScript files, including 1460.3c4e7eda72470dc619a2.js, to mitigate known vulnerabilities such as tampering through prototype pollution and nesting-based mXSS. This issue should ideally be resolved in the latest Grafana Docker images, like 11.4.0-ubuntu, without requiring manual intervention or custom fixes.

Did this work before?

This issue is related to a known vulnerability in the DOMPurify library version 2.3.1, which has likely been present in previous versions of Grafana as well. As such, it is not a case of functionality breaking, but rather a security vulnerability that has persisted and has not been addressed even in the latest Grafana Docker image (11.4.0-ubuntu).

How do we reproduce it?

1. Deploy the Grafana instance using the latest Docker image (e.g., 11.4.0-ubuntu) or any earlier affected version.
2. Navigate to the file system of the Grafana container or installation directory.
3. Locate the JavaScript file public/build/1460.3c4e7eda72470dc619a2.js.
4. Open the file and inspect it for the DOMPurify library version by searching for "DOMPurify" or relevant function signatures.
5. Confirm that the library version is 2.3.1, which has known vulnerabilities like tampering through prototype pollution and nesting-based mXSS.

This can also be verified through a vulnerability scanning tool that detects outdated libraries in the Grafana build files.

Grafana platform?

Kubernetes