Grafana datasource proxy API bypass via slash leads to unauthorized read
CVE-2025-3454 Published on June 2, 2025

This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.

NVD

Vulnerability Analysis

CVE-2025-3454 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVE-2025-3454 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2025-3454

Want to know whenever a new CVE is published for Grafana Labs Grafana? stack.watch will email you.

Grafana Labs Grafana
 

Affected Versions

Grafana: Grafana Enterprise:

Exploit Probability

EPSS
0.02%
Percentile
3.30%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.