CVE-2025-41118
Modified
Modified - Updated After Analysis
Information Disclosure in Pyroscope API via Tencent COS Backend
Vulnerability report for CVE-2025-41118, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-04-15
Last updated on: 2026-06-30
Assigner: Grafana Labs
Description
Description
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).
If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.
To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems.
This vulnerability is fixed in versions:
1.15.x: 1.15.2 and above.
1.16.x: 1.16.1 and above.
1.17.x: 1.17.0 and above (i.e. all versions).
Thanks to ThΓ©o Cusnir for reporting this vulnerability to us via our bug bounty program.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | pyroscope | to 1.15.2 (exc) |
| grafana | pyroscope | 1.16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |