AIKIDO-2025-10448
github.com/grafana/synthetic-monitoring-agent is vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere
20
Low Risk
This Affects:
github.com/grafana/synthetic-monitoring-agentTL;DR
Affected versions of this package are vulnerable to Sensitive Information Disclosure, where sensitive credentials are recorded in application logs or JSON outputs during logging with zerolog or data serialization. It occurs when the package fails to sanitize password fields before processing, exposing them in cleartext within log entries or API responses. Attackers with access to these logs, via compromised systems, misconfigured storage, or internal threats, can directly harvest passwords, enabling credential theft, account takeover, or lateral movement within the environment without requiring advanced exploitation techniques.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/grafana/synthetic-monitoring-agent is vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere in versions 0.25.0 - 0.38.3.
How to fix this
Upgrade the github.com/grafana/synthetic-monitoring-agent library to a patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant