-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability CVE-2025-3454 in Grafana allows bypassing authorization checks in the datasource proxy API. This is achieved by manipulating the URL path with extra slash characters. The provided commit 1f707d16ed5d directly addresses this issue. The core change is within the validateRequest method of the DataSourceProxy struct located in pkg/api/pluginproxy/ds_proxy.go.
Before the patch, the validateRequest function compared the user-provided proxy.proxyPath with the configured route.Path using strings.HasPrefix. This was susceptible to path traversal/manipulation if an attacker used extra slashes (e.g., //some/path instead of /some/path). The strings.HasPrefix check might not behave as expected in such cases, potentially leading to an incorrect route match and bypassing authorization rules associated with the intended, more specific route.
The patch introduces path normalization by calling util.CleanRelativePath on both proxy.proxyPath and route.Path before the strings.HasPrefix comparison. This ensures that paths are canonicalized (e.g., multiple slashes are reduced to one) before the authorization check, thus preventing the bypass.
Therefore, the (*DataSourceProxy).validateRequest function is identified as the vulnerable function because it was responsible for the faulty path comparison that led to the authorization bypass. During exploitation, this function would be in the call stack when processing a malicious request with extra slashes in the datasource proxy URL.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/grafana/grafana | go | >= 0.0.0-20210414170620-dadccdda06e6, < 0.0.0-20250424191517-1f707d16ed5d | 0.0.0-20250424191517-1f707d16ed5d |
A Semantic Attack on Google Gemini - Read the Latest Research