cbcvebase.
CVE-2025-6023
published 2025-07-18

CVE-2025-6023: An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana…

PriorityP265high7.6CVSS 3.1
AVNACLPRNUIRSUCHILAL
EXPLOIT
EPSS
37.56%
98.3th percentile
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01

Affected

6 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 0 < 1.9.2-0.20250521205822-0ba0b99665a91.9.2-0.20250521205822-0ba0b99665a9
grafanagrafana>= 11.3.x < 11.3.8+security-0111.3.8+security-01
grafanagrafana>= 11.4.x < 11.4.6+security-0111.4.6+security-01
grafanagrafana>= 11.5.x < 11.5.6+security-0111.5.6+security-01
grafanagrafana>= 11.6.x < 11.6.3+security-0111.6.3+security-01
grafanagrafana>= 12.0.x < 12.0.2+security-0112.0.2+security-01

Detection & IOCsextracted from sources · hover to see the quote

path/user/auth-tokens/rotate?
path/%2f%5coast.pro?orgId=
cookieredirect_to=%2F
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Server-Side Open Redirect (CVE-2025-6023)"; flow:established,to_server; http.uri; content:"/user/auth-tokens/rotate|3f|"; fast_pattern; http.uri.raw; content:"redirectTo"; pcre:"/^(?:\x3d|\x25(?:25)?3[dD])[^\x26]*?(?:\x23|\x25(?:25)?23)/R"; reference:url,blog.ethiack.com/blog/grafana-cve-2025-6023-bypass-a-technical-deep-dive; reference:cve,2025-6023; classtype:web-application-attack; sid:2066502; rev:1; metadata:affected_product Grafana, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_30, cve CVE_2025_6023, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP requests to /user/auth-tokens/rotate containing a 'redirectTo' parameter where the value includes a fragment identifier (#, URL-encoded as %23 or double-encoded as %2523), indicating exploitation of the open redirect chain.
  • Detect open redirect exploitation via organization switching by monitoring for GET requests with path-encoded double-slash sequences (e.g., /%2f%5c) followed by an external domain and orgId parameter.
  • Flag POST /login requests followed immediately by exploitation of the org-switching redirect endpoint from the same session; the login response will contain 'Logged in' and set a grafana_session cookie.
  • The two China-based IPs (CHINANET-BACKBONE) were first observed and active only on 28 September 2025, overwhelmingly focused on Grafana — treat them as high-confidence malicious indicators for this campaign.
  • Review Grafana logs for traversal-style requests; the CVE-2025-6023 attack chain combines path traversal with open redirect to achieve XSS in scripted dashboards without requiring editor permissions.
  • If anonymous access is enabled on Grafana, the XSS attack is exploitable by unauthenticated users — prioritize detection and patching for publicly accessible instances.
  • Use the Shodan query 'html:"grafana"' to identify exposed Grafana instances that may be targeted.
  • ·The vulnerability was introduced in Grafana v11.5.0; versions 11.3.x and 11.4.x are also affected despite predating 11.5.0 — patched versions cover a broad range.
  • ·Exploitation requires multiple organizations to exist in the Grafana instance AND the victim must be on a different organization than the one specified in the URL.
  • ·Unlike typical XSS vulnerabilities, this does not require editor permissions — any authenticated user (or unauthenticated user if anonymous access is enabled) can trigger the attack.
  • ·Adding the default Content Security Policy (CSP) configuration as suggested in Grafana Documentation can block this attack as a mitigation short of patching.
  • ·The Snort/ET rule (sid:2066502) requires TLS decryption to be effective against HTTPS Grafana deployments, as indicated by the TLSDecrypt deployment metadata.

CVSS provenance

nvdv3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
osv7.6HIGH
vendor_redhat7.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.