{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pyroscope/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2025-41118"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["pyroscope","tencent-cos","secret-key-exposure","cve-2025-41118","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePyroscope is an open-source continuous profiling database that supports various storage backends, including Tencent Cloud Object Storage (COS). A vulnerability, identified as CVE-2025-41118, exists where an attacker with direct access to the Pyroscope API can extract the \u003ccode\u003esecret_key\u003c/code\u003e configuration value when Tencent COS is used as the storage backend. This vulnerability poses a significant risk as the exposed secret key could allow unauthorized access to the Tencent COS storage, potentially leading to data breaches or other malicious activities. The vulnerability has been patched in versions 1.15.2 and above, 1.16.1 and above, and all versions of 1.17.x. It is strongly recommended to limit public internet exposure of Pyroscope API instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to the Pyroscope API endpoint, either through public exposure or internal network penetration.\u003c/li\u003e\n\u003cli\u003eAttacker sends a crafted HTTP request to the Pyroscope API endpoint designed to expose configuration details. The specific API endpoint and parameters are not detailed in the source but are assumed to exist for configuration management.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Pyroscope API processes the request without proper authorization or input validation.\u003c/li\u003e\n\u003cli\u003eThe API retrieves the Tencent COS storage configuration, including the \u003ccode\u003esecret_key\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esecret_key\u003c/code\u003e is inadvertently included in the API response to the attacker.\u003c/li\u003e\n\u003cli\u003eAttacker extracts the \u003ccode\u003esecret_key\u003c/code\u003e from the API response.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised \u003ccode\u003esecret_key\u003c/code\u003e to authenticate to Tencent COS.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to data stored in the Tencent COS bucket associated with the compromised \u003ccode\u003esecret_key\u003c/code\u003e, potentially leading to data exfiltration, modification, or deletion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-41118 grants an attacker unauthorized access to the Tencent COS storage backend used by Pyroscope. This access allows the attacker to read, modify, or delete data stored in the cloud storage. The impact depends on the sensitivity of the data stored in Tencent COS. In a worst-case scenario, a complete data breach and service disruption are possible. The number of affected Pyroscope installations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Pyroscope instances to the patched versions: 1.15.2+, 1.16.1+, or any 1.17.x version to remediate CVE-2025-41118.\u003c/li\u003e\n\u003cli\u003eImplement network access controls to restrict access to the Pyroscope API to trusted users or internal systems, mitigating initial access, as suggested in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Pyroscope Configuration Request\u003c/code\u003e to identify potential attempts to access sensitive configuration data via the API.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit the configuration of Pyroscope and its storage backends (Tencent COS) to ensure proper security measures are in place.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-pyroscope-secret-key-leak/","summary":"CVE-2025-41118 allows an attacker with direct access to the Pyroscope API, when configured with Tencent COS, to extract the secret_key configuration value, potentially leading to unauthorized access to the cloud storage backend.","title":"Pyroscope Secret Key Exposure via Tencent COS Configuration (CVE-2025-41118)","url":"https://feed.craftedsignal.io/briefs/2026-04-pyroscope-secret-key-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Pyroscope","version":"https://jsonfeed.org/version/1.1"}