---

CVE-2025-3454 - log back

CVE-2025-3454 created at 24 May 2025 04:30:44
Severity	+ Medium
Remote	+ Remote
Type	+ Access restriction bypass
Description	+ A vulnerability was found in Grafana's data source proxy API, which allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alert manager and Prometheus data sources. The issue primarily affects data sources that implement route-specific permissions, including Alert manager and certain Prometheus-based data sources.
References	+ https://grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454/
Notes