CVE-2025-6023
published 2025-07-18CVE-2025-6023: An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana…
PriorityP265high7.6CVSS 3.1
AVNACLPRNUIRSUCHILAL
EXPLOIT
EPSS
37.56%
98.3th percentile
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.
The open redirect can be chained with path traversal vulnerabilities to achieve XSS.
Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 1.9.2-0.20250521205822-0ba0b99665a9 | 1.9.2-0.20250521205822-0ba0b99665a9 |
| grafana | grafana | >= 11.3.x < 11.3.8+security-01 | 11.3.8+security-01 |
| grafana | grafana | >= 11.4.x < 11.4.6+security-01 | 11.4.6+security-01 |
| grafana | grafana | >= 11.5.x < 11.5.6+security-01 | 11.5.6+security-01 |
| grafana | grafana | >= 11.6.x < 11.6.3+security-01 | 11.6.3+security-01 |
| grafana | grafana | >= 12.0.x < 12.0.2+security-01 | 12.0.2+security-01 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Server-Side Open Redirect (CVE-2025-6023)"; flow:established,to_server; http.uri; content:"/user/auth-tokens/rotate|3f|"; fast_pattern; http.uri.raw; content:"redirectTo"; pcre:"/^(?:\x3d|\x25(?:25)?3[dD])[^\x26]*?(?:\x23|\x25(?:25)?23)/R"; reference:url,blog.ethiack.com/blog/grafana-cve-2025-6023-bypass-a-technical-deep-dive; reference:cve,2025-6023; classtype:web-application-attack; sid:2066502; rev:1; metadata:affected_product Grafana, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_30, cve CVE_2025_6023, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Look for HTTP requests to /user/auth-tokens/rotate containing a 'redirectTo' parameter where the value includes a fragment identifier (#, URL-encoded as %23 or double-encoded as %2523), indicating exploitation of the open redirect chain.
- →Detect open redirect exploitation via organization switching by monitoring for GET requests with path-encoded double-slash sequences (e.g., /%2f%5c) followed by an external domain and orgId parameter.
- →Flag POST /login requests followed immediately by exploitation of the org-switching redirect endpoint from the same session; the login response will contain 'Logged in' and set a grafana_session cookie.
- →The two China-based IPs (CHINANET-BACKBONE) were first observed and active only on 28 September 2025, overwhelmingly focused on Grafana — treat them as high-confidence malicious indicators for this campaign.
- →Review Grafana logs for traversal-style requests; the CVE-2025-6023 attack chain combines path traversal with open redirect to achieve XSS in scripted dashboards without requiring editor permissions.
- →If anonymous access is enabled on Grafana, the XSS attack is exploitable by unauthenticated users — prioritize detection and patching for publicly accessible instances.
- →Use the Shodan query 'html:"grafana"' to identify exposed Grafana instances that may be targeted.
- ·The vulnerability was introduced in Grafana v11.5.0; versions 11.3.x and 11.4.x are also affected despite predating 11.5.0 — patched versions cover a broad range. ↗
- ·Exploitation requires multiple organizations to exist in the Grafana instance AND the victim must be on a different organization than the one specified in the URL. ↗
- ·Unlike typical XSS vulnerabilities, this does not require editor permissions — any authenticated user (or unauthenticated user if anonymous access is enabled) can trigger the attack. ↗
- ·Adding the default Content Security Policy (CSP) configuration as suggested in Grafana Documentation can block this attack as a mitigation short of patching. ↗
- ·The Snort/ET rule (sid:2066502) requires TLS decryption to be effective against HTTPS Grafana deployments, as indicated by the TLSDecrypt deployment metadata.
CVSS provenance
nvdv3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
osv7.6HIGH
vendor_redhat7.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana
osv·2025-07-29
CVE-2025-6023 Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana
Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana
Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v1.9.2-0.20250521205822-0ba0b99665a9.
GHSA
Grafana is vulnerable to XSS attacks through open redirects and path traversal
ghsa·2025-07-18
CVE-2025-6023 [HIGH] CWE-79 Grafana is vulnerable to XSS attacks through open redirects and path traversal
Grafana is vulnerable to XSS attacks through open redirects and path traversal
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.
The open redirect can be chained with path traversal vulnerabilities to achieve XSS.
Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01
OSV
Grafana is vulnerable to XSS attacks through open redirects and path traversal
osv·2025-07-18
CVE-2025-6023 [HIGH] Grafana is vulnerable to XSS attacks through open redirects and path traversal
Grafana is vulnerable to XSS attacks through open redirects and path traversal
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.
The open redirect can be chained with path traversal vulnerabilities to achieve XSS.
Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01
OSV
CVE-2025-6023: An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks
osv·2025-07-18·CVSS 7.6
CVE-2025-6023 [HIGH] CVE-2025-6023: An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01
Red Hat
grafana: Cross Site Scripting in Grafana
vendor_redhat·2025-07-22·CVSS 7.6
CVE-2025-6023 [HIGH] CWE-79 grafana: Cross Site Scripting in Grafana
grafana: Cross Site Scripting in Grafana
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.
The open redirect can be chained with path traversal vulnerabilities to achieve XSS.
Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01
A Cross-site scripting (XSS) vulnerability was found in Grafana caused by client path traversal and open redirect. This flaw allows attackers to redirect users to malicious websites that execute arbitrary JavaScript code in scripted dashboards. Unlike many other XSS vulnerabilities, this vulnerability does not require editor permissions. If anonymous access is enabled, the XSS attack
Suricata
ET WEB_SPECIFIC_APPS Grafana Server-Side Open Redirect (CVE-2025-6023)
suricata·2025-12-30·CVSS 7.6
CVE-2025-6023 [HIGH] ET WEB_SPECIFIC_APPS Grafana Server-Side Open Redirect (CVE-2025-6023)
ET WEB_SPECIFIC_APPS Grafana Server-Side Open Redirect (CVE-2025-6023)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Server-Side Open Redirect (CVE-2025-6023)"; flow:established,to_server; http.uri; content:"/user/auth-tokens/rotate|3f|"; fast_pattern; http.uri.raw; content:"redirectTo"; pcre:"/^(?:\x3d|\x25(?:25)?3[dD])[^\x26]*?(?:\x23|\x25(?:25)?23)/R"; reference:url,blog.ethiack.com/blog/grafana-cve-2025-6023-bypass-a-technical-deep-dive; reference:cve,2025-6023; classtype:web-application-attack; sid:2066502; rev:1; metadata:affected_product Grafana, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_30, cve CVE_2025_6023, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit,
Nuclei
Open Redirect via Organization Switching
nuclei·CVSS 4.2
CVE-2025-6197 [MEDIUM] Open Redirect via Organization Switching
Open Redirect via Organization Switching
An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL
Template:
id: CVE-2025-6197
info:
name: Open Redirect via Organization Switching
author: iamnoooob,pdresearch
severity: medium
description: |
An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL
impact: |
Authenticated attackers can redirect users to arbitrary ext
2025-07-18
Published