Imagine leaving your bank's master password written on a sticky note in the lobby — that's essentially what a newly discovered flaw in a widely-used developer tool has been doing with cloud storage credentials.
Who's Affected and Why It Matters
Pyroscope is an open-source continuous profiling database used by engineering teams at companies of all sizes to monitor application performance in real time. It's the kind of infrastructure software that quietly runs in the background of countless production environments — which is exactly why vulnerabilities like this one are so dangerous. If your organization uses Pyroscope and has configured it to store data in Tencent Cloud Object Storage (COS), your cloud storage secret key may be sitting exposed, readable by anyone who can reach your Pyroscope API endpoint.
The scope of potential victims is significant. Tencent COS is a major cloud storage platform used heavily across Asia-Pacific enterprises, gaming companies, fintech platforms, and increasingly by global organizations leveraging Tencent Cloud infrastructure. A leaked secret key doesn't just mean someone can read your stored data — it means they can delete it, exfiltrate it, or replace it entirely, potentially triggering compliance violations, data breach notifications, and six-figure recovery bills.
What's Actually Happening Here
Think of Pyroscope like a sophisticated monitoring dashboard for your software. To do its job, it needs to store large amounts of performance data somewhere — and many organizations point it at a cloud storage bucket, the way you might back up your phone photos to iCloud or Google Photos. To access that storage bucket, Pyroscope is given a secret password — a credential — during setup. That credential gets saved in the system's configuration.
Here's where it goes wrong. Pyroscope exposes an API — essentially a door that other software systems use to talk to it and retrieve information. Researchers discovered that through this API, an attacker can ask Pyroscope to hand over its own configuration settings. Buried in those settings is the secret key for Tencent COS. No elaborate hacking needed. No breaking through encryption. Just making the right request to the right door and walking away with the master key to your cloud storage.
The critical word in the official advisory is "direct access." An attacker needs to be able to reach the Pyroscope API — which, in a concerning number of real-world deployments, means it's reachable over the public internet. Developer tools are frequently spun up quickly and left exposed, especially in staging environments or during cloud migrations. Once that key is in an attacker's hands, the damage has nothing to do with Pyroscope anymore. They go straight to your cloud storage and do whatever they want.
The Technical Detail Security Teams Need
This vulnerability is classified as a configuration leak / credential exposure vulnerability and has been assigned a CVSS score of 9.1 (Critical). The flaw exists in Pyroscope's API layer, which fails to restrict access to sensitive configuration values — specifically the secret_key field used for Tencent COS authentication — allowing unauthenticated or low-privilege API callers to retrieve it in plaintext. This is a textbook case of insecure direct object reference combined with missing secrets management controls: sensitive credentials should never be readable through an API endpoint, regardless of authentication state.
Has Anyone Been Exploited Yet?
As of publication, no active exploitation has been confirmed in the wild. However, security teams should treat that window as narrow and closing. Vulnerabilities of this class — credential exposure through a simple API call — are among the fastest to be operationalized by threat actors once details become public. Automated scanners routinely crawl the internet for exposed developer tool APIs, and this kind of flaw requires no custom exploit code: it's a matter of knowing which API endpoint to query.
The vulnerability was disclosed through Pyroscope's security advisory process and patched by the project's maintainers. No specific security research group or external reporter has been publicly credited at this time. There are no known victim organizations or active campaigns confirmed as of this writing — but the combination of a 9.1 CVSS score, a trivially simple exploitation path, and widely exposed developer infrastructure means the risk calculus strongly favors patching immediately rather than waiting for proof of exploitation.
What You Should Do Right Now
If you run Pyroscope in any environment, take these three steps today:
- Patch to Pyroscope version 1.15.x or later immediately. This is the fixed release line. If you're running any version prior to 1.15.x with Tencent COS configured as your storage backend, assume your secret key may already be compromised and treat it accordingly. Check your deployment manifests, Helm charts, or Docker configurations for the current version tag.
- Rotate your Tencent COS secret key right now — don't wait. Log in to your Tencent Cloud console, navigate to your COS credentials, and generate a new secret key. Revoke the old one immediately. Update the new credential in your Pyroscope configuration and any other services that may have used the same key. If you use secrets management tools like HashiCorp Vault, AWS Secrets Manager, or Kubernetes Secrets, update those stores and trigger a rotation audit.
- Lock down your Pyroscope API so it is not reachable from the public internet. Place it behind a VPN, internal load balancer, or firewall rule that restricts access to trusted internal IP ranges or authenticated users only. Use your cloud provider's security group or network policy tools to block port access from external sources. As a general hygiene rule: no internal database or monitoring tool should ever have an API exposed to the open internet without explicit authentication controls.
CVE: CVE-2025-41118 | CVSS: 9.1 Critical | Fixed in: Pyroscope 1.15.x | Affected configuration: Tencent COS storage backend