Vulnerability Report: GO-2022-0322

CVE-2022-21698, GHSA-cg3q-j54f-5p7p
Affects: github.com/prometheus/client_golang
Published: Jul 15, 2022
Modified: Apr 26, 2024

The Prometheus client_golang HTTP server is vulnerable to a denial of service attack when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of the promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass a metric with a "method" label name to a middleware; and not have any firewall/LB/proxy that filters away requests with unknown "method".

Affected Packages

Path

Versions

Symbols
github.com/prometheus/client_golang/prometheus/promhttp

before v1.11.1
10 affected symbols

Aliases

CVE-2022-21698
GHSA-cg3q-j54f-5p7p

References

https://github.com/prometheus/client_golang/pull/962
https://vuln.go.dev/ID/GO-2022-0322.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL