CVE-2025-3454
Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana
5.0
MEDIUM
CVSS 3.1
EPSS 0.03%
Description
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
How to fix CVE-2025-3454
To remediate CVE-2025-3454, upgrade the affected package to a fixed version below.
- —upgrade to 10.4.17 or later
- —upgrade to 0.0.0-20250424191517-1f707d16ed5d or later
- —no fix listed
Is CVE-2025-3454 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 10.4.0, < 10.4.17, >= 11.2.0, < 11.5.3, >= 11.6.0, < 11.6.0
- >= 0.0.0-20210414170620-dadccdda06e6, < 0.0.0-20250424191517-1f707d16ed5d
- >= 0.0.0-20210414170620-dadccdda06e6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |