CVE Catalog

CVE-2025-41118

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

32th percentile — higher than 32% of all known CVEs

Summary

A vulnerability in Pyroscope allows an attacker to extract the secret_key configuration value for Tencent COS storage backend via the API, if the database uses this backend. Direct access to the Pyroscope API is required.

Risk Assessment

The risk involves potential compromise of Tencent cloud access keys, leading to unauthorized data access or data exfiltration from the storage backend.

Recommendation

Immediately upgrade Pyroscope to version 1.15.2, 1.16.1, or 1.17.0 (depending on the branch) and restrict API access to trusted users and internal systems only.

Original NVD description (English source)

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems. This vulnerability is fixed in versions: 1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions). Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS