Grafana 11.6.0 SSRF Vulnerability (CVE‑2025‑4123) Enables Server‑Side Request Forgery Across Multiple Deployments
What Happened – A Server‑Side Request Forgery (SSRF) flaw (CVE‑2025‑4123) was discovered in Grafana 11.2.0‑11.6.0. The bug resides in the render/public endpoints and can be triggered via crafted path‑traversal and open‑redirect payloads, allowing an unauthenticated attacker to force the Grafana server to issue HTTP requests to arbitrary hosts.
Why It Matters for TPRM –
- Third‑party monitoring tools are often granted broad network access; an SSRF can be leveraged to pivot into internal services.
- Exploitation may expose internal metadata, credentials, or cloud metadata services, compromising the entire supply chain.
- Many organizations run Grafana in SaaS or self‑hosted modes; the vulnerability spans both, expanding the attack surface for vendors and their customers.
Who Is Affected – SaaS monitoring platforms, cloud‑hosted Grafana instances, on‑premise Grafana deployments, and any organization that integrates Grafana with plugins (e.g., Image Renderer) or enables anonymous access.
Recommended Actions –
- Inventory all Grafana instances (SaaS and self‑hosted) and verify version ≥ 11.6.1 or apply the vendor‑released patch.
- Disable anonymous access and restrict the Image Renderer plugin to trusted origins.
- Implement outbound request filtering on the Grafana host to block unexpected external calls.
- Conduct a focused SSRF test against the
render/publicendpoint as part of your regular pen‑test cycle.
Technical Notes – The SSRF chain combines double‑encoded path traversal (..%252f%255C…) with an open redirect parameter (redirect_to). When the vulnerable endpoint processes the request, Grafana resolves the encoded path and follows the redirect, issuing a request to the attacker‑controlled domain (e.g., a DNS‑log service). Successful exploitation can reveal internal IP addresses, cloud metadata, or trigger further attacks via internal services. Source: Exploit‑DB 52491