CVE-2025-41118

Pyroscope · Pyroscope

Pyroscope is vulnerable to an information disclosure flaw where the `secret_key` configuration can be extracted from the API when Tencent Cloud Object Storage is used as a backend.

Executive summary

A critical information disclosure vulnerability in Pyroscope allows attackers to extract sensitive secret keys, potentially leading to unauthorized access to storage backends.

Vulnerability

When configured with Tencent Cloud Object Storage (COS), the Pyroscope API fails to protect the secret_key configuration value. An attacker with direct access to the API can extract this key, compromising the security of the storage backend.

Business impact

With a CVSS score of 9.1, this vulnerability presents a significant risk to data confidentiality. Exposure of storage secret keys grants an attacker unauthorized access to potentially sensitive profiling data stored in the cloud, leading to severe privacy and compliance breaches.

Remediation

Immediate Action: Upgrade Pyroscope to version 1.15.2, 1.16.1, 1.17.0, or higher to resolve the key exposure issue.

Proactive Monitoring: Monitor API access logs for unauthorized requests and rotate any secret_key values that may have been exposed during the vulnerable period.

Compensating Controls: Restrict access to the Pyroscope API to trusted internal networks or VPNs to prevent direct exposure to the public internet.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Upgrade to the specified fixed versions immediately to remediate the vulnerability. Furthermore, organizations should treat any exposed storage keys as compromised, rotate them immediately, and ensure the Pyroscope instance is not exposed to the public internet.