CVE-2025-41118
Information Disclosure in Pyroscope API via Tencent COS Backend
Publication date: 2026-04-15
Last updated on: 2026-04-20
Assigner: Grafana Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | pyroscope | to 1.15.2 (exc) |
| grafana | pyroscope | 1.16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Pyroscope, an open-source continuous profiling database that supports Tencent Cloud Object Storage (COS) as a storage backend.
If Pyroscope is configured to use Tencent COS, an attacker with direct access to the Pyroscope API can extract the secret_key configuration value.
This secret_key is sensitive information that should be protected, and the vulnerability arises because it can be accessed through the API without proper restrictions.
To mitigate this risk, it is recommended to limit public internet exposure of the Pyroscope database so that only trusted users or internal systems can access it.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to obtain the secret_key used by Pyroscope when configured with Tencent COS storage.
With this secret_key, an attacker could potentially gain unauthorized access to the Tencent Cloud Object Storage backend, leading to data exposure or manipulation.
The vulnerability has a high severity score (CVSS 9.1), indicating it can lead to significant confidentiality and integrity impacts without requiring privileges or user interaction.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is highly recommended to limit the public internet exposure of all Pyroscope databases, ensuring they are only accessible by trusted users or internal systems.
Additionally, upgrade Pyroscope to a fixed version: 1.15.2 or above for 1.15.x versions, 1.16.1 or above for 1.16.x versions, and 1.17.0 or above for 1.17.x versions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with direct access to the Pyroscope API to extract the secret_key configuration value, exposing sensitive storage credentials. Such exposure of confidential information can lead to unauthorized access to data stored in Tencent Cloud Object Storage (COS).
The compromise of sensitive credentials and potential unauthorized data access can negatively impact compliance with data protection regulations and standards such as GDPR and HIPAA, which require strict controls over the confidentiality and integrity of personal and sensitive data.
To mitigate this risk and help maintain compliance, it is strongly recommended to restrict Pyroscope API access to trusted users or internal systems and avoid public internet exposure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability requires direct access to the Pyroscope API when it is configured to use Tencent Cloud Object Storage (COS) as the storage backend. Detection involves verifying if your Pyroscope instance is exposed to untrusted networks and if the secret_key configuration can be accessed via the API.
To detect potential exposure, you can check if the Pyroscope API endpoint is accessible from outside trusted networks using network scanning tools or commands such as:
- Using curl to test API accessibility: curl -v http://<pyroscope-api-host>:<port>/api
- Using nmap to scan for open Pyroscope API ports: nmap -p <port> <pyroscope-api-host>
Additionally, reviewing the Pyroscope configuration files to check if Tencent COS is used as the storage backend and verifying the Pyroscope version to ensure it is patched (1.15.2+, 1.16.1+, or 1.17.0+) can help detect vulnerable instances.