CVE-2025-3454 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-3454 PUBLISHED

This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.

EPSS 0.02% · 4.1th percentile

Risk Scores

EPSS Score

0.02%

4.1th percentile

Affected Products

Vendor	Product	Versions
Bitnami	grafana	10.4.0, 11.2.0, 11.6.0
Bitnami	grafana	10.4.0, 11.2.0, 11.6.0

Timeline

Apr 22, 2025 CVE Published
Jun 2, 2025 EPSS Score
Jun 3, 2025 Coalition ESS Score
Jun 12, 2025 EPSS Score
Jun 22, 2025 EPSS Score
Jul 3, 2025 EPSS Score
Jul 13, 2025 EPSS Score
Jul 23, 2025 EPSS Score
Aug 2, 2025 EPSS Score
Aug 12, 2025 EPSS Score
Aug 22, 2025 Coalition ESS Score
Aug 23, 2025 EPSS Score

References

Open in Interactive Console →