fix(deps): update module github.com/prometheus/prometheus to v0.311.2 [security] (release-v2.9)#6956
Open
renovate-sh-app[bot] wants to merge 1 commit intorelease-v2.9from
Conversation
renovate-sh-app
Bot
added
dependencies
renovate-sh-app
Bot
requested review from
carles-grafana,
electron0zero,
ie-pham,
javiermolinar,
mapno,
mattdurham,
mdisibio,
ruslan-mikhailov,
stoewer,
yvrhdn and
zalegrala
as code owners
Contributor
Author
|
renovate-sh-app
Bot
force-pushed
the
renovate/release-v2.9-go-github.tiyicn.workers.dev-prometheus-prometheus-vulnerability
branch
7 times, most recently
from
02ba99b to
2469edf
Compare
… [security] | datasource | package | from | to | | ---------- | -------------------------------- | -------- | -------- | | go | github.com/prometheus/prometheus | v0.304.2 | v0.311.2 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
renovate-sh-app
Bot
force-pushed
the
renovate/release-v2.9-go-github.tiyicn.workers.dev-prometheus-prometheus-vulnerability
branch
from
2469edf to
6cfbe68
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.304.2→v0.311.2Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
BIT-prometheus-2026-40179 / CVE-2026-40179 / GHSA-vffh-x6r8-xx99
More information
Details
Impact
Stored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:
innerHTMLwithout escaping, causing arbitrary script execution in the user's browser.innerHTMLwithout escaping, causing arbitrary script execution in the user's browser.lelabel values of the underlying histogram buckets are interpolated intoinnerHTMLwithout escaping. Whileleis conventionally a numeric bucket boundary, Prometheus does not enforce this — arbitrary UTF-8 strings are accepted as label values, allowing script injection via a crafted scrape target or remote write.With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like
<,>, and"are now valid in metric names and labels, making this exploitable.An attacker who can inject metrics (via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the Graph UI. From the XSS context, an attacker could for example:
/api/v1/status/configto extract sensitive configuration (although credentials / secrets are redacted by the server)/-/quitto shut down Prometheus (only if--web.enable-lifecycleis set)/api/v1/admin/tsdb/delete_seriesto delete data (only if--web.enable-admin-apiis set)Both the new Mantine UI and the old React UI are affected. The vulnerable code paths are:
web/ui/mantine-ui/src/pages/query/uPlotChartHelpers.ts— tooltipinnerHTMLwith unescapedlabels.__name__web/ui/react-app/src/pages/graph/GraphHelpers.ts— tooltip content with unescapedlabels.__name__web/ui/react-app/src/pages/graph/MetricsExplorer.tsx— fuzzy search results rendered viadangerouslySetInnerHTMLwithout sanitizationweb/ui/react-app/src/vendor/flot/jquery.flot.heatmap.js— heatmap tooltip with unescaped label valuesPatches
A patch has been published in Prometheus 3.5.2 LTS and Prometheus 3.11.2. The fix applies
escapeHTML()to all user-controlled values (metric names and label values) before inserting them intoinnerHTML. This advisory will be updated with the patched version once released.Workarounds
--web.enable-remote-write-receiver), ensure it is not exposed to untrusted sources.--web.enable-otlp-receiver), ensure it is not exposed to untrusted sources.--web.enable-admin-apiorweb.enable-lifecycle) in cases where you cannot prevent untrusted data from being ingested.Acknowledgements
Thanks to @gladiator9797 (Duc Anh Nguyen from TinyxLab) for reporting this.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
prometheus/prometheus (github.com/prometheus/prometheus)
v0.311.2Compare Source
v0.311.1Compare Source
v0.311.0Compare Source
v0.310.0Compare Source
v0.309.1Compare Source
v0.309.0Compare Source
v0.308.1Compare Source
v0.308.0Compare Source
v0.307.3Compare Source
v0.307.2Compare Source
v0.307.1Compare Source
v0.307.0Compare Source
v0.306.0Compare Source
v0.305.3Compare Source
v0.305.2Compare Source
v0.305.1Compare Source
v0.305.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Need help?
You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.