CVE-2025-3454 — Vulnetix

CVE-2025-3454 PUBLISHED

This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.

EPSS 0.03% · 9.8th percentile

Risk Scores

EPSS Score

0.03%

9.8th percentile

Affected Products

Vendor	Product	Versions
Bitnami	grafana	10.4.0, 11.2.0, 11.6.0
Bitnami	grafana	11.2.0, 11.6.0, 10.4.0

Timeline

Apr 22, 2025 CVE Published
Jun 2, 2025 EPSS Score
Jun 3, 2025 Coalition ESS Score
Jun 13, 2025 EPSS Score
Jun 24, 2025 EPSS Score
Jul 4, 2025 EPSS Score
Jul 15, 2025 EPSS Score
Jul 26, 2025 EPSS Score
Aug 6, 2025 EPSS Score
Aug 16, 2025 EPSS Score
Aug 22, 2025 Coalition ESS Score
Aug 26, 2025 Coalition ESS Score

References

https://grafana.com/security/security-advisories/cve-2025-3454/ url
https://nvd.nist.gov/vuln/detail/CVE-2025-3454 url
Multiples vulnérabilités dans Grafana advisory

Open in Interactive Console →