Grafana CVE-2025-6023 Bypass — A Technical Deep Dive

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.ethiack.com/blog/grafana-cve-2025-6023-bypass-a-technical-deep-dive
• Blog Title: Grafana CVE-2025-6023 Bypass — A Technical Deep Dive
• Suggested Section: Pentesting Web -> Open Redirect (and/or XSS) -> Open redirect to XSS chains; also cross-link from File Inclusion/Path Traversal or Client Side Path Traversal for the double-encoding + '?' split + validate/return mismatch technique

🎯 Content Summary

Title/Context
This post (dated 2025-11-27) details a bypass chain that circumvents Grafana’s fix for CVE-2025-6023 (an open redirect that can be escalated into XSS and account takeover). The bypass was originally discovered by @msanft and used as a challenge in Hack.lu CTF 2025. The author validated exposure across customers on 2025-10-20 (24 days before the patch). At the time of writing, no new CVE had been issued...

🔧 Technical Details

Trick 1 — Fragment smuggling to bypass redirect validation (Go url.Parse):
If a backend validates redirects by parsing user input with url.Parse() and only checking URL.Path (e.g., regex + path.Clean()) but ignores URL.Fragment, an attacker can hide the malicious redirect target after #. The parsed path appears safe (/), so validation passes. If the application later constructs the HTTP redirect using the original unsanitized string, the resulting Location header can still encode an external redirect (open redirect), which can be chained into XSS/account takeover.

Trick 2 — Client-side path traversal via “validate decoded/cleaned, return original” bug:
If a frontend path sanitizer decodes and cleans a path (including splitting on ?) and performs traversal checks on the cleaned value, but then returns the original encoded input, an attacker...

🤖 Agent Actions

Summary:

• Added a new “Fragment smuggling + client-side traversal” section to the Open Redirect page, documenting the Grafana-style bypass chain (fragment smuggling in Go url.Parse + raw redirects, and frontend decode/clean/return-original traversal) culminating in XSS/account takeover via external script loading.
• Included PoC payloads for the server-side redirect, the client-side traversal, and the combined end-to-end exploit, plus notes on CORS requirements.
• Updated references with the technical deep-dive source.

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.ethiack.com/blog/grafana-cve-2025-6023-bypass-a-technical-deep-dive

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Open Redirect (and/or XSS) -> Open redirect to XSS chains; also cross-link from File Inclusion/Path Traversal or Client Side Path Traversal for the double-encoding + '?' split + validate/return mismatch technique".

Repository Maintenance:

• MD Files Formatting: 936 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0