- Description
- This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
- Source
- security@grafana.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 5
- Impact score
- 1.4
- Exploitability score
- 3.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
- Severity
- MEDIUM
- security@grafana.com
- CWE-285
- Hype score
- Not currently trending
CVE-2025-3454 This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal … https://t.co/eARvpCkT8b
@CVEnew
2 Jun 2025
312 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New post from https://t.co/uXvPWJy6tj (CVE-2025-3454 | Grafana 10.4.0 Data Source Proxy API improper authorization) has been published on https://t.co/3L1EwTyFqa
@WolfgangSesin
23 Apr 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes