7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-6023

CVE-2025-6023: Grafana is vulnerable to XSS attacks through open redirects and path traversal

An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0.

The open redirect can be chained with path traversal vulnerabilities to achieve XSS.

Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-6023

CVE-2025-6023:

7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/grafana/grafana	go	< 1.9.2-0.20250521205822-0ba0b99665a9	1.9.2-0.20250521205822-0ba0b99665a9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided commits clearly indicates that the vulnerability lies within the staticHandler function in pkg/api/static/static.go. All the provided security patches modify this single function to address the same issue. The core of the vulnerability is the lack of input sanitization for the URL path, which is taken directly from the user's request. This allows an attacker to craft a URL that, when processed by Grafana, results in a redirect to a malicious domain. The fix, which is consistently applied across all patches, is the introduction of the path.Clean() function. This function call effectively neutralizes the path traversal and open redirect vulnerability by cleaning the user-provided path before it is used to construct the redirect URL. The new test file pkg/api/static/static_test.go also confirms this by adding a test case for path cleanup.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-6023: Grafana is vulnerable to XSS attacks through open redirects and path traversal

CVE-2025-6023:

7.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-6023: Grafana is vulnerable to XSS attacks through open redirects and path traversal

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

7.6

7.6

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI