CVE-2025-41118 Overview
CVE-2025-41118 is a critical information disclosure vulnerability affecting Pyroscope, an open-source continuous profiling database maintained by Grafana. When Pyroscope is configured to use Tencent Cloud Object Storage (COS) as its storage backend, an attacker with direct access to the Pyroscope API can extract the secret_key configuration value. This exposes sensitive cloud storage credentials that could be leveraged for unauthorized access to the underlying Tencent COS resources.
Critical Impact
Successful exploitation allows attackers to extract Tencent COS secret keys via the Pyroscope API, potentially enabling unauthorized access to cloud storage resources, data exfiltration, or further lateral movement within the cloud environment.
Affected Products
- Pyroscope versions 1.15.x prior to 1.15.2
- Pyroscope versions 1.16.x prior to 1.16.1
- All versions of Pyroscope 1.17.x are patched (1.17.0 and above)
Discovery Timeline
- 2026-04-15 - CVE CVE-2025-41118 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-41118
Vulnerability Analysis
This vulnerability represents a sensitive data exposure issue within Pyroscope's API handling when integrated with Tencent Cloud Object Storage. The flaw allows unauthenticated network-based attackers to retrieve the secret_key configuration parameter through the API without requiring any user interaction or special privileges.
The vulnerability exists in how Pyroscope exposes configuration data through its API endpoints. When Tencent COS is configured as the storage backend, the API inadvertently leaks the secret key credential, which is intended to remain confidential. This type of information disclosure can have cascading effects, as compromised cloud storage credentials may grant attackers access to sensitive profiling data, allow them to modify stored data, or serve as a pivot point for further attacks against the organization's cloud infrastructure.
The exposure requires direct access to the Pyroscope API, emphasizing the importance of proper network segmentation and access controls for database services.
Root Cause
The root cause of CVE-2025-41118 lies in improper handling of sensitive configuration data within Pyroscope's API response generation. The application fails to adequately filter or redact the Tencent COS secret_key from API responses, resulting in credential exposure. This represents a failure in secure configuration management practices, where sensitive authentication credentials should never be exposed through application interfaces.
Attack Vector
The attack vector is network-based, requiring the attacker to have direct access to the Pyroscope API endpoint. The exploitation flow involves:
- Attacker identifies a Pyroscope instance configured with Tencent COS storage backend
- Attacker sends crafted requests to the Pyroscope API
- The API response includes the sensitive secret_key configuration value
- Attacker extracts the Tencent COS credentials for unauthorized use
No authentication is required, and the attack can be executed without any user interaction. Organizations exposing Pyroscope APIs to the public internet are at heightened risk. For detailed technical information, refer to the Grafana Security Advisory.
Detection Methods for CVE-2025-41118
Indicators of Compromise
- Unexpected or anomalous API requests to Pyroscope endpoints, particularly those querying configuration data
- Unusual access patterns to Tencent COS resources using credentials associated with Pyroscope
- Authentication events from unfamiliar IP addresses or locations against Tencent COS buckets
- Audit logs showing configuration endpoint access from external or unauthorized sources
Detection Strategies
- Monitor Pyroscope API access logs for reconnaissance patterns or high-volume configuration queries
- Implement alerting on Tencent COS API calls from unexpected geographic locations or IP ranges
- Deploy network-based detection for unusual traffic patterns to Pyroscope instances
- Review cloud provider audit logs for credential usage anomalies tied to Pyroscope service accounts
Monitoring Recommendations
- Enable comprehensive logging on all Pyroscope API endpoints and retain logs for forensic analysis
- Configure Tencent COS bucket access logging to track credential usage patterns
- Implement real-time alerting for configuration endpoint access attempts
- Establish baseline API traffic patterns to detect anomalous behavior
How to Mitigate CVE-2025-41118
Immediate Actions Required
- Upgrade Pyroscope to patched versions: 1.15.2 or above for 1.15.x, 1.16.1 or above for 1.16.x, or any 1.17.x version
- Restrict network access to Pyroscope APIs to trusted internal systems only
- Rotate Tencent COS credentials immediately if exposure is suspected
- Audit Tencent COS access logs for any unauthorized activity during the exposure window
Patch Information
Grafana has released patched versions addressing this vulnerability:
- Version 1.15.2 and above for the 1.15.x branch
- Version 1.16.1 and above for the 1.16.x branch
- Version 1.17.0 and above for the 1.17.x branch (all versions patched)
Users should upgrade to the appropriate patched version for their deployment branch. See the Grafana Security Advisory for official guidance and download links.
Workarounds
- Implement network segmentation to ensure Pyroscope APIs are not exposed to the public internet
- Deploy a reverse proxy or API gateway with authentication in front of Pyroscope instances
- Use firewall rules to restrict API access to trusted IP ranges only
- Consider switching to an alternative storage backend until patching can be completed
# Example: Restrict Pyroscope API access using iptables
# Allow only trusted internal network (adjust CIDR as needed)
iptables -A INPUT -p tcp --dport 4040 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 4040 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
