CVE-2025-3454
📋 TL;DR
This vulnerability in Grafana's datasource proxy API allows users with minimal permissions to bypass authorization checks by adding an extra slash character in URL paths. It enables unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. Organizations using affected Grafana versions with these datasources are at risk.
💻 Affected Systems
- Grafana
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with minimal Grafana permissions could access sensitive monitoring data from Alertmanager and Prometheus, potentially exposing alert configurations, metrics, and system state information.
Likely Case
Internal users with basic permissions could inadvertently or intentionally access monitoring data they shouldn't see, potentially violating data segregation policies.
If Mitigated
With proper network segmentation and minimal necessary permissions, impact is limited to unauthorized data viewing within the monitoring system.
🎯 Exploit Status
Exploitation requires valid Grafana user credentials with minimal permissions. The bypass technique is simple (adding extra slash to URL).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Grafana 10.4.4, 11.1.4, 11.2.2
Vendor Advisory: https://grafana.com/security/security-advisories/cve-2025-3454/
Restart Required: Yes
Instructions:
1. Backup your Grafana configuration and database. 2. Stop Grafana service. 3. Upgrade to patched version using your package manager or download from Grafana website. 4. Restart Grafana service. 5. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Restrict datasource access
allLimit user permissions to only necessary datasources and implement strict role-based access control.
# Review and adjust Grafana user permissions via UI or API
# Use Grafana's built-in role management to restrict datasource access
🧯 If You Can't Patch
- Implement network segmentation to isolate Grafana from sensitive monitoring backends
- Enable detailed audit logging for all datasource proxy API calls and monitor for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check Grafana version via web interface (Admin → Server Admin → Stats) or command line: grafana-server -vCheck Version:
grafana-server -v 2>/dev/null || grafana-server version 2>/dev/null || cat /etc/grafana/grafana.ini | grep versionVerify Fix Applied:
After patching, verify version is 10.4.4, 11.1.4, or 11.2.2 or higher. Test that adding extra slashes to datasource URLs no longer bypasses permissions.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of datasource proxy API calls with double slashes in URLs
- Access to Alertmanager/Prometheus endpoints by users without proper permissions
Network Indicators:
- HTTP requests to Grafana datasource endpoints containing '//' in URL paths
SIEM Query:
source="grafana" AND (url="*//*" OR path="*//*") AND (datasource="alertmanager" OR datasource="prometheus")