CVE-2025-41118

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions Pyroscope versions prior to 1.15.2 Pyroscope versions prior to 1.16.1

Description When configured to use Tencent Cloud Object Storage (COS) as the storage backend, the Pyroscope API may expose the secret key configuration value. An attacker with direct access to the API can extract this sensitive information.

Recommendations Update to version 1.15.2 or above. Update to version 1.16.1 or above. Limit public internet exposure of the database to ensure it is only accessible by trusted users or internal systems.

Fix

Information Disclosure

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-732

Related Identifiers

BDU:2026-00669

BIT-GRAFANA-PYROSCOPE-2025-41118

CVE-2025-41118

GHSA-M9HQ-H476-H2G8

Affected Products

Pyroscope

CVE-2025-41118

Weakness Enumeration

Related Identifiers

Affected Products

References · 10