fix(deps): update module github.com/prometheus/prometheus to v0.311.3 [security]#146
Open
renovate-sh-app[bot] wants to merge 1 commit intomainfrom
Open
Conversation
renovate-sh-app
Bot
added
automerge-security-update
severity:MEDIUM
update-minor
labels
Contributor
Author
|
renovate-sh-app
Bot
force-pushed
the
renovate/go-github.com-prometheus-prometheus-vulnerability
branch
7 times, most recently
from
318e5df to
f5d0187
Compare
renovate-sh-app
Bot
force-pushed
the
renovate/go-github.com-prometheus-prometheus-vulnerability
branch
3 times, most recently
from
ffa8263 to
484e847
Compare
renovate-sh-app
Bot
force-pushed
the
renovate/go-github.com-prometheus-prometheus-vulnerability
branch
from
484e847 to
05d97d5
Compare
renovate-sh-app
Bot
changed the title
auto-merge was automatically disabled
May 5, 2026 01:13
Pull request was closed
renovate-sh-app
Bot
deleted the
renovate/go-github.com-prometheus-prometheus-vulnerability
branch
renovate-sh-app
Bot
changed the title
renovate-sh-app
Bot
force-pushed
the
renovate/go-github.com-prometheus-prometheus-vulnerability
branch
from
05d97d5 to
ace52bf
Compare
… [security] | datasource | package | from | to | | ---------- | -------------------------------- | -------- | -------- | | go | github.com/prometheus/prometheus | v0.308.1 | v0.311.3 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
renovate-sh-app
Bot
force-pushed
the
renovate/go-github.com-prometheus-prometheus-vulnerability
branch
from
ace52bf to
f2cb66b
Compare
renovate-sh-app
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.308.1→v0.311.3Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
CVE-2026-40179 / GHSA-vffh-x6r8-xx99
More information
Details
Impact
Stored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:
innerHTMLwithout escaping, causing arbitrary script execution in the user's browser.innerHTMLwithout escaping, causing arbitrary script execution in the user's browser.lelabel values of the underlying histogram buckets are interpolated intoinnerHTMLwithout escaping. Whileleis conventionally a numeric bucket boundary, Prometheus does not enforce this — arbitrary UTF-8 strings are accepted as label values, allowing script injection via a crafted scrape target or remote write.With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like
<,>, and"are now valid in metric names and labels, making this exploitable.An attacker who can inject metrics (via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the Graph UI. From the XSS context, an attacker could for example:
/api/v1/status/configto extract sensitive configuration (although credentials / secrets are redacted by the server)/-/quitto shut down Prometheus (only if--web.enable-lifecycleis set)/api/v1/admin/tsdb/delete_seriesto delete data (only if--web.enable-admin-apiis set)Both the new Mantine UI and the old React UI are affected. The vulnerable code paths are:
web/ui/mantine-ui/src/pages/query/uPlotChartHelpers.ts— tooltipinnerHTMLwith unescapedlabels.__name__web/ui/react-app/src/pages/graph/GraphHelpers.ts— tooltip content with unescapedlabels.__name__web/ui/react-app/src/pages/graph/MetricsExplorer.tsx— fuzzy search results rendered viadangerouslySetInnerHTMLwithout sanitizationweb/ui/react-app/src/vendor/flot/jquery.flot.heatmap.js— heatmap tooltip with unescaped label valuesPatches
A patch has been published in Prometheus 3.5.2 LTS and Prometheus 3.11.2. The fix applies
escapeHTML()to all user-controlled values (metric names and label values) before inserting them intoinnerHTML. This advisory will be updated with the patched version once released.Workarounds
--web.enable-remote-write-receiver), ensure it is not exposed to untrusted sources.--web.enable-otlp-receiver), ensure it is not exposed to untrusted sources.--web.enable-admin-apiorweb.enable-lifecycle) in cases where you cannot prevent untrusted data from being ingested.Acknowledgements
Thanks to @gladiator9797 (Duc Anh Nguyen from TinyxLab) for reporting this.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Prometheus Azure AD remote write OAuth client secret exposed via config API
CVE-2026-42151 / GHSA-wg65-39gg-5wfj
More information
Details
Impact
Users who use Azure AD remote write with OAuth authentication are impacted.
The
client_secretfield in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed asstringinstead ofSecret. Prometheus redacts fields of typeSecretwhen serving the configuration via the/-/configHTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint.Patches
The problem has been patched by changing
ClientSecretinOAuthConfigtoSecret. Users should upgrade to 3.11.3 or 3.5.3 LTS.Workarounds
Users who can not upgrade can switch to Managed Identity or Workload Identity authentication for Azure AD remote write, which do not involve a client secret.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
CVE-2026-42154 / GHSA-8rm2-7qqf-34qm
More information
Details
Impact
The remote read endpoint (
/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory.An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process.
Patches
Has the problem been patched? What versions should users upgrade to?
Fixed in 3.11.3 and 3.5.3 LTS. Users should upgrade to these versions or later.
Workarounds
User who can not upgrade can place Prometheus behind a reverse proxy or firewall that requires authentication before requests reach /api/v1/read.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
GHSA-fw8g-cg8f-9j28
More information
Details
Impact
In the Prometheus server's legacy web UI (enabled via the command-line flag
--enable-feature=old-ui), the histogram heatmap chart view does not escapelelabel values when inserting them into the HTML for use as axis tick mark labels.An attacker who can inject crafted metrics (e.g. via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. From the XSS context, an attacker could for example:
/api/v1/status/configto extract sensitive configuration (although credentials / secrets are redacted by the server)/-/quitto shut down Prometheus (only if--web.enable-lifecycleis set)/api/v1/admin/tsdb/delete_seriesto delete data (only if--web.enable-admin-apiis set)Note that this only affects users who have explicitly enabled the legacy Prometheus web UI using the
--enable-feature=old-uicommand-line flag.Patches
A patch is available at https://github.com/prometheus/prometheus/releases/tag/v0.311.3.
Workarounds
If at all possible, disable the legacy web UI by removing the
--enable-feature=old-uicommand-line flag).If this is not an option, take the following precautions:
--web.enable-remote-write-receiver), ensure it is not exposed to untrusted sources.--web.enable-otlp-receiver), ensure it is not exposed to untrusted sources.--web.enable-admin-apiorweb.enable-lifecycle) in cases where you cannot prevent untrusted data from being ingested.label_replace, as they may generate poisoned label names and values.Resources
Severity
Medium
References
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
BIT-prometheus-2026-40179 / CVE-2026-40179 / GHSA-vffh-x6r8-xx99
More information
Details
Impact
Stored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:
innerHTMLwithout escaping, causing arbitrary script execution in the user's browser.innerHTMLwithout escaping, causing arbitrary script execution in the user's browser.lelabel values of the underlying histogram buckets are interpolated intoinnerHTMLwithout escaping. Whileleis conventionally a numeric bucket boundary, Prometheus does not enforce this — arbitrary UTF-8 strings are accepted as label values, allowing script injection via a crafted scrape target or remote write.With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like
<,>, and"are now valid in metric names and labels, making this exploitable.An attacker who can inject metrics (via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the Graph UI. From the XSS context, an attacker could for example:
/api/v1/status/configto extract sensitive configuration (although credentials / secrets are redacted by the server)/-/quitto shut down Prometheus (only if--web.enable-lifecycleis set)/api/v1/admin/tsdb/delete_seriesto delete data (only if--web.enable-admin-apiis set)Both the new Mantine UI and the old React UI are affected. The vulnerable code paths are:
web/ui/mantine-ui/src/pages/query/uPlotChartHelpers.ts— tooltipinnerHTMLwith unescapedlabels.__name__web/ui/react-app/src/pages/graph/GraphHelpers.ts— tooltip content with unescapedlabels.__name__web/ui/react-app/src/pages/graph/MetricsExplorer.tsx— fuzzy search results rendered viadangerouslySetInnerHTMLwithout sanitizationweb/ui/react-app/src/vendor/flot/jquery.flot.heatmap.js— heatmap tooltip with unescaped label valuesPatches
A patch has been published in Prometheus 3.5.2 LTS and Prometheus 3.11.2. The fix applies
escapeHTML()to all user-controlled values (metric names and label values) before inserting them intoinnerHTML. This advisory will be updated with the patched version once released.Workarounds
--web.enable-remote-write-receiver), ensure it is not exposed to untrusted sources.--web.enable-otlp-receiver), ensure it is not exposed to untrusted sources.--web.enable-admin-apiorweb.enable-lifecycle) in cases where you cannot prevent untrusted data from being ingested.Acknowledgements
Thanks to @gladiator9797 (Duc Anh Nguyen from TinyxLab) for reporting this.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
BIT-prometheus-2026-42154 / CVE-2026-42154 / GHSA-8rm2-7qqf-34qm
More information
Details
Impact
The remote read endpoint (
/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory.An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process.
Patches
Has the problem been patched? What versions should users upgrade to?
Fixed in 3.11.3 and 3.5.3 LTS. Users should upgrade to these versions or later.
Workarounds
User who can not upgrade can place Prometheus behind a reverse proxy or firewall that requires authentication before requests reach /api/v1/read.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
GHSA-fw8g-cg8f-9j28
More information
Details
Impact
In the Prometheus server's legacy web UI (enabled via the command-line flag
--enable-feature=old-ui), the histogram heatmap chart view does not escapelelabel values when inserting them into the HTML for use as axis tick mark labels.An attacker who can inject crafted metrics (e.g. via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. From the XSS context, an attacker could for example:
/api/v1/status/configto extract sensitive configuration (although credentials / secrets are redacted by the server)/-/quitto shut down Prometheus (only if--web.enable-lifecycleis set)/api/v1/admin/tsdb/delete_seriesto delete data (only if--web.enable-admin-apiis set)Note that this only affects users who have explicitly enabled the legacy Prometheus web UI using the
--enable-feature=old-uicommand-line flag.Patches
A patch is available at https://github.com/prometheus/prometheus/releases/tag/v0.311.3.
Workarounds
If at all possible, disable the legacy web UI by removing the
--enable-feature=old-uicommand-line flag).If this is not an option, take the following precautions:
--web.enable-remote-write-receiver), ensure it is not exposed to untrusted sources.--web.enable-otlp-receiver), ensure it is not exposed to untrusted sources.--web.enable-admin-apiorweb.enable-lifecycle) in cases where you cannot prevent untrusted data from being ingested.label_replace, as they may generate poisoned label names and values.Resources
Severity
Moderate
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Prometheus Azure AD remote write OAuth client secret exposed via config API
BIT-prometheus-2026-42151 / CVE-2026-42151 / GHSA-wg65-39gg-5wfj
More information
Details
Impact
Users who use Azure AD remote write with OAuth authentication are impacted.
The
client_secretfield in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed asstringinstead ofSecret. Prometheus redacts fields of typeSecretwhen serving the configuration via the/-/configHTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint.Patches
The problem has been patched by changing
ClientSecretinOAuthConfigtoSecret. Users should upgrade to 3.11.3 or 3.5.3 LTS.Workarounds
Users who can not upgrade can switch to Managed Identity or Workload Identity authentication for Azure AD remote write, which do not involve a client secret.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
prometheus/prometheus (github.com/prometheus/prometheus)
v0.311.3Compare Source
v0.311.2Compare Source
v0.311.1Compare Source
v0.311.0Compare Source
v0.310.0Compare Source
v0.309.1Compare Source
v0.309.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Need help?
You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.