CVE-2025-3454
Last modified
CVE-2025-3454 is a medium-severity vulnerability rated 5/10 on the CVSS scale. This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.. EPSS estimates a 0.41% chance of exploitation in the next 30 days.
Description
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Weakness Enumeration
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2025-3454?
How severe is CVE-2025-3454?
How do I fix CVE-2025-3454?
Are you affected by CVE-2025-3454?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST