Pyroscope — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/pyroscope/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 16 Apr 2026 12:00:00 +0000Pyroscope Secret Key Exposure via Tencent COS Configuration (CVE-2025-41118)https://feed.craftedsignal.io/briefs/2026-04-pyroscope-secret-key-leak/Thu, 16 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-pyroscope-secret-key-leak/CVE-2025-41118 allows an attacker with direct access to the Pyroscope API, when configured with Tencent COS, to extract the secret_key configuration value, potentially leading to unauthorized access to the cloud storage backend.Pyroscope is an open-source continuous profiling database that supports various storage backends, including Tencent Cloud Object Storage (COS). A vulnerability, identified as CVE-2025-41118, exists where an attacker with direct access to the Pyroscope API can extract the secret_key configuration value when Tencent COS is used as the storage backend. This vulnerability poses a significant risk as the exposed secret key could allow unauthorized access to the Tencent COS storage, potentially leading to data breaches or other malicious activities. The vulnerability has been patched in versions 1.15.2 and above, 1.16.1 and above, and all versions of 1.17.x. It is strongly recommended to limit public internet exposure of Pyroscope API instances.

Attack Chain

  1. Attacker gains network access to the Pyroscope API endpoint, either through public exposure or internal network penetration.
  2. Attacker sends a crafted HTTP request to the Pyroscope API endpoint designed to expose configuration details. The specific API endpoint and parameters are not detailed in the source but are assumed to exist for configuration management.
  3. The vulnerable Pyroscope API processes the request without proper authorization or input validation.
  4. The API retrieves the Tencent COS storage configuration, including the secret_key.
  5. The secret_key is inadvertently included in the API response to the attacker.
  6. Attacker extracts the secret_key from the API response.
  7. Attacker uses the compromised secret_key to authenticate to Tencent COS.
  8. Attacker gains unauthorized access to data stored in the Tencent COS bucket associated with the compromised secret_key, potentially leading to data exfiltration, modification, or deletion.

Impact

Successful exploitation of CVE-2025-41118 grants an attacker unauthorized access to the Tencent COS storage backend used by Pyroscope. This access allows the attacker to read, modify, or delete data stored in the cloud storage. The impact depends on the sensitivity of the data stored in Tencent COS. In a worst-case scenario, a complete data breach and service disruption are possible. The number of affected Pyroscope installations is currently unknown.

Recommendation

  • Upgrade Pyroscope instances to the patched versions: 1.15.2+, 1.16.1+, or any 1.17.x version to remediate CVE-2025-41118.
  • Implement network access controls to restrict access to the Pyroscope API to trusted users or internal systems, mitigating initial access, as suggested in the overview.
  • Deploy the Sigma rule Detect Pyroscope Configuration Request to identify potential attempts to access sensitive configuration data via the API.
  • Regularly review and audit the configuration of Pyroscope and its storage backends (Tencent COS) to ensure proper security measures are in place.
]]>criticaladvisorypyroscopetencent-cossecret-key-exposurecve-2025-41118cloud