CVE-2025-4123

HIGH EXPLOITED NUCLEI LAB

Grafana < 10.4.18 - XSS

Title source: rule
STIX 2.1

Exploitation Summary

CVE-2025-4123 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 10 public exploits from researchers including Beatriz Fresno Naumova, NightBloodZ, ynsmroztas. A Nuclei detection template is also available.

AI-analyzed exploit summary The exploit demonstrates an SSRF vulnerability in Grafana versions 11.2.0 to 11.6.0 via path traversal encoding and open redirect in the `render/public` endpoint. The provided HTTP requests show how an attacker can manipulate the server into making requests to arbitrary domains.

Description

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

Exploits (10)

exploitdb WORKING POC
by Beatriz Fresno Naumova · textwebappsmultiple
https://www.exploit-db.com/exploits/52491

The exploit demonstrates an SSRF vulnerability in Grafana versions 11.2.0 to 11.6.0 via path traversal encoding and open redirect in the `render/public` endpoint. The provided HTTP requests show how an attacker can manipulate the server into making requests to arbitrary domains.

Classification
Working Poc 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Grafana 11.2.0 - 11.6.0
No auth needed
Prerequisites: Anonymous access or vulnerable plugins (e.g., Image Renderer) enabled
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC 54 stars
by NightBloodZ · poc
https://github.com/NightBloodZ/CVE-2025-4123

This PoC demonstrates a combined SSRF and XSS vulnerability in Grafana (CVE-2025-4123) by serving malicious JavaScript and a fake plugin via a Flask server. The exploit leverages path traversal to trigger the vulnerabilities.

Classification
Working Poc 95%
Attack Type
Xss, Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Grafana 11.2-11.6, 12.0
No auth needed
Prerequisites: Network access to target Grafana instance · Victim interaction for XSS
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 30 stars
by ynsmroztas · client-side
https://github.com/ynsmroztas/CVE-2025-4123-Exploit-Tool-Grafana-

This is a functional proof-of-concept exploit for CVE-2025-4123, a path traversal vulnerability in Grafana's `/public` endpoint. It demonstrates SSRF, LFI, open redirect, and XSS attacks via crafted URLs with encoded path traversal sequences.

Classification
Working Poc 95%
Attack Type
Ssrf | Lfi | Xss | Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Grafana (version not specified)
No auth needed
Prerequisites: Access to Grafana instance with vulnerable `/public` endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by punitdarji · infoleak
https://github.com/punitdarji/Grafana-cve-2025-4123

This repository provides a proof-of-concept for CVE-2025-4123, demonstrating SSRF and Open Redirect vulnerabilities in Grafana. The exploit leverages path traversal techniques to achieve these attacks.

Classification
Working Poc 80%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target: Grafana (Open Source)
No auth needed
Prerequisites: Access to the target Grafana instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github SCANNER
by MorphyKutay · goclient-side
https://github.com/MorphyKutay/CVE-2025-4123-Exploit

This repository contains a Go-based tool that scans for CVE-2025-4123 by sending a crafted path traversal payload and checking for 301/302 redirect responses. It does not exploit the vulnerability but detects potential exposure by analyzing the `Location` header.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Unknown (likely a web server or application with path traversal vulnerability)
No auth needed
Prerequisites: Network access to the target · Target must be vulnerable to the specific path traversal payload
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec STUB
by imbas007 · client-side
https://github.com/imbas007/CVE-2025-4123-template

The repository contains only a README.md file with a placeholder title and no exploit code or technical details. It appears to be an empty template or placeholder for CVE-2025-4123.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by AakiTT · poc
https://github.com/AakiTT/CVE-2025-4123

The repository contains a path traversal exploit for CVE-2025-4123, demonstrating directory traversal sequences that could be used to access unauthorized files or directories. The payloads suggest an SSRF or directory traversal vulnerability.

Classification
Working Poc 90%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Theoretical
Target: Unknown (likely a web server or application with path traversal vulnerability)
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Jun 11, 2026 Full analysis →
nomisec STUB
by kk12-30 · poc
https://github.com/kk12-30/CVE-2025-4123

The repository contains only a README with path traversal payloads for CVE-2025-4123, but no actual exploit code or technical details. It appears to be a placeholder or incomplete PoC.

Classification
Stub 30%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unspecified
No auth needed
Prerequisites: none specified
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
client-side
https://github.com/NightBloodz/CVE-2025-4123

This repository contains a functional exploit for CVE-2025-4123, targeting Grafana versions 11.2 to 12.0. The exploit leverages SSRF and XSS vulnerabilities via crafted paths and a malicious server to deliver payloads.

Classification
Working Poc 95%
Attack Type
Ssrf, Xss
Complexity
Moderate
Reliability
Reliable
Target: Grafana 11.2, 11.3, 11.4, 11.5, 11.6, 12.0
No auth needed
Prerequisites: Access to a vulnerable Grafana instance · Ability to host a malicious server
devstral-2 · analyzed May 10, 2026 Full analysis →

Nuclei Templates (1)

Grafana - XSS / Open Redirect / SSRF via Client Path Traversal
HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch
Shodan: product:"Grafana"
FOFA: app="Grafana"

References (3)

Core 3

Scores

CVSS v3 7.6
EPSS 0.9506
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull grafana/grafana:11.6.0
docker pull grafana/grafana-image-renderer:3.10.0
+6 more repos

Details

VulnCheck KEV 2025-07-21
CWE
CWE-601 CWE-79
Status published
Products (16)
grafana/grafana 10.4.18
grafana/grafana 11.2.9
grafana/grafana 11.3.6
grafana/grafana 11.4.4
grafana/grafana 11.5.4
grafana/grafana 11.6.1
grafana/grafana 12.0.0
grafana/grafana < 10.4.18
grafana/grafana 0 - 0.0.0-20250521183405-c7a690348df7Go
Grafana/Grafana 10.4.18+security-01 - 10.4.19
... and 6 more
Published May 22, 2025
Tracked Since Feb 18, 2026