External risk intelligence

Attacker can steal sensitive credentials from Pyroscope with direct API access

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2025-41118

An external attacker can exploit a flaw in the Pyroscope API to steal secret keys used for cloud storage. This could allow unauthorized access to sensitive profiling data within the organization's cloud environment.

2Halo Surface Signal

Grafana Pyroscope

before 1.15.21.16.0

External exposure likelihood

Halo Surface Signal score for CVE-2025-41118

Pyroscope is a continuous profiling database designed for internal monitoring. The API is intended to be accessed by trusted users or internal systems rather than the public internet. The vendor explicitly recommends restricting network access, confirming that public exposure is not the standard or intended deployment pattern for this type of backend service.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Pyroscope allows an attacker with direct access to its API to steal sensitive Tencent Cloud secret keys. This is concerning because these keys could grant unauthorized access to your cloud storage, potentially leading to data breaches or service disruptions.

Secret key exposure.
Requires API access.
Cloud storage compromise.

Attack Path

How an attacker could exploit the issue

An attacker could abuse this flaw if they can access the Pyroscope API. By sending a crafted request, they can extract sensitive Tencent COS secret keys. This stolen key could then be used to access or manipulate cloud storage.

Direct API access needed.
Exploits COS backend configuration.
Secret key exfiltration is the goal.

Live Threat

Current exploitation, exposure, and threat context

Attackers are unlikely to weaponize this CVE because it requires direct access to the Pyroscope API, which is typically not exposed to the public internet. Exploitation is contingent on the database being misconfigured with public access or a compromised internal network.

Requires API access.
Unlikely public exposure.
Vendor advises restricting access.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize upgrading Pyroscope to patched versions to fix the critical vulnerability allowing secret key extraction via the API, especially if Tencent COS is used as a storage backend. If immediate patching is not feasible, restrict API access to prevent exploitation.

Upgrade Pyroscope to 1.15.2, 1.16.1, or 1.17.0+.
Restrict API network access.
Monitor for unauthorized API access.

Frequently asked questions

What is Pyroscope and its role as an open-source continuous profiling database?

Pyroscope is an open-source tool designed for continuous profiling, allowing developers to monitor application performance in real-time. It functions as a database that stores and analyzes profiling data, which can help in identifying performance bottlenecks and understanding application behavior over time. Its architecture supports various storage backends, including cloud-based options like Tencent Cloud Object Storage (COS).

What weakness class is associated with CVE-2025-41118 in Pyroscope?

The vulnerability CVE-2025-41118 in Pyroscope is associated with the weakness class CWE-732. This category typically refers to ""'Security Decision Uses Always-On Checks"" or other authorization-related weaknesses where access controls are improperly implemented, potentially allowing unauthorized actions or data disclosure.

What are the preconditions for an attacker to exploit CVE-2025-41118, and what is the scope of impact?

The primary precondition for an attacker to exploit CVE-2025-41118 is direct access to the Pyroscope API. If an attacker has this access, they can extract sensitive configuration values, specifically the secret_key used for the Tencent COS storage backend. The scope of impact is significant, as the compromised secret key could grant unauthorized access to cloud storage resources.

What is the relevance of Halo Surface Signal's assessment for CVE-2025-41118?

Halo Surface Signal assesses CVE-2025-41118 as 'Unlikely' to be exploited in the wild. This is because Pyroscope is typically used for internal monitoring and its API is intended for trusted users or internal systems. The vendor's recommendation to limit public internet exposure for databases reinforces that public accessibility is not the standard deployment pattern, making external exploitation less probable.

What practical steps should users take to respond to CVE-2025-41118?

To address CVE-2025-41118, users should prioritize upgrading Pyroscope to patched versions: 1.15.2 and above for the 1.15.x series, 1.16.1 and above for the 1.16.x series, or any version within the 1.17.x series. If immediate patching is not possible, restricting network access to the Pyroscope API is crucial to prevent exploitation. Monitoring for any unauthorized API access is also recommended.

References

grafana.com/security/security-advisories/cve-2025-41118

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.