Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2025-3454

CVE-2025-3454:
Grafana's datasource proxy API allows authorization checks to be bypassed

5

CVSS Score

Basic Information

CVE ID
CVE-2025-3454
GHSA ID
GHSA-9j65-rv5x-4vrf
EPSS Score
-
CWE
CWE-285
Published
6/2/2025
Updated
6/5/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/grafana/grafanago>= 0.0.0-20210414170620-dadccdda06e6, < 0.0.0-20250424191517-1f707d16ed5d0.0.0-20250424191517-1f707d16ed5d

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2025-3454 in Grafana allows bypassing authorization checks in the datasource proxy API. This is achieved by manipulating the URL path with extra slash characters. The provided commit 1f707d16ed5d directly addresses this issue. The core change is within the validateRequest method of the DataSourceProxy struct located in pkg/api/pluginproxy/ds_proxy.go.

Before the patch, the validateRequest function compared the user-provided proxy.proxyPath with the configured route.Path using strings.HasPrefix. This was susceptible to path traversal/manipulation if an attacker used extra slashes (e.g., //some/path instead of /some/path). The strings.HasPrefix check might not behave as expected in such cases, potentially leading to an incorrect route match and bypassing authorization rules associated with the intended, more specific route.

The patch introduces path normalization by calling util.CleanRelativePath on both proxy.proxyPath and route.Path before the strings.HasPrefix comparison. This ensures that paths are canonicalized (e.g., multiple slashes are reduced to one) before the authorization check, thus preventing the bypass.

Therefore, the (*DataSourceProxy).validateRequest function is identified as the vulnerable function because it was responsible for the faulty path comparison that led to the authorization bypass. During exploitation, this function would be in the call stack when processing a malicious request with extra slashes in the datasource proxy URL.

Vulnerable functions

(*DataSourceProxy).validateRequest
pkg/api/pluginproxy/ds_proxy.go
This function is responsible for validating if a request to a datasource proxy path is allowed based on configured routes and their permissions. Before the patch, it directly compared the request path (`proxy.proxyPath`) with the configured route path (`route.Path`) using `strings.HasPrefix`. This comparison could be bypassed by an attacker by inserting extra slashes in the request path (e.g., using `//api/` instead of `/api/`). The `strings.HasPrefix` check would fail to correctly match the intended route, potentially allowing an attacker to bypass route-specific authorization checks if a less restrictive parent route (e.g. `/`) was matched instead, or if the path normalization in a downstream component removed the extra slashes leading to an unauthorized access.

WAF Protection Rules

WAF Rule

T*is vuln*r**ility in *r***n*'s **t*sour** proxy *PI *llows *ut*oriz*tion ****ks to ** *yp*ss** *y ***in* *n *xtr* sl*s* ***r**t*r in t** URL p*t*. Us*rs wit* minim*l p*rmissions *oul* **in un*ut*oriz** r*** ****ss to **T *n*points in *l*rtm*n***r *

Reasoning

T** vuln*r**ility *V*-****-**** in *r***n* *llows *yp*ssin* *ut*oriz*tion ****ks in t** **t*sour** proxy *PI. T*is is ***i*v** *y m*nipul*tin* t** URL p*t* wit* *xtr* sl*s* ***r**t*rs. T** provi*** *ommit `************` *ir**tly ***r*ss*s t*is issu*.