7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-21698

GHSA ID

GHSA-cg3q-j54f-5p7p

EPSS Score

0.49819%

CWE

CWE-400

Published

2/16/2022

Updated

2/15/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-21698

CVE-2022-21698: Uncontrolled Resource Consumption in promhttp

This is the Go client library for Prometheus. It has two separate parts, one for instrumenting application code, and one for creating clients that talk to the Prometheus HTTP API. client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients.

Impact

HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.

Affected Configuration

In order to be affected, an instrumented software must

Use any of promhttp.InstrumentHandler* middleware except RequestsInFlight.
Do not filter any specific methods (e.g GET) before middleware.
Pass metric with method label name to our middleware.
Not have any firewall/LB/proxy that filters away requests with unknown method.

Patches

https://github.com/prometheus/client_golang/pull/962
https://github.com/prometheus/client_golang/pull/987

Workarounds

If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can:

Remove method label name from counter/gauge you use in the InstrumentHandler.
Turn off affected promhttp handlers.
Add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request.
Use a reverse proxy or web application firewall, configured to only allow a limited set of methods.

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/prometheus/client_golang
Email us at prometheus-team@googlegroups.com

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-21698

GHSA ID

GHSA-cg3q-j54f-5p7p

EPSS Score

0.49819%

CWE

CWE-400

Published

2/16/2022

Updated

2/15/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/prometheus/client_golang	go	< 1.11.1	1.11.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from InstrumentHandler middleware that use 'method' labels without proper validation(). These functions directly use http.Request.Method as a metric label value, allowing attackers to create high cardinality by sending requests with arbitrary methods. The patches in PR #962/#987 added method validation() and sanitization to prevent this. RequestsInFlight is excluded as it doesn't use method labels.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is is t** *o *li*nt li*r*ry *or Prom*t**us. It **s two s*p*r*t* p*rts, on* *or instrum*ntin* *ppli**tion *o**, *n* on* *or *r**tin* *li*nts t**t t*lk to t** Prom*t**us *TTP *PI. *li*nt_*ol*n* is t** instrum*nt*tion li*r*ry *or *o *ppli**tions in Pr

Reasoning

T** vuln*r**ility st*ms *rom `Instrum*nt**n*l*r` mi**l*w*r* t**t us* 'm*t*o*' l***ls wit*out prop*r `v*li**tion()`. T**s* *un*tions *ir**tly us* `*ttp.R*qu*st.M*t*o*` *s * m*tri* l***l v*lu*, *llowin* *tt**k*rs to *r**t* *i** **r*in*lity *y s*n*in* r

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-21698: Uncontrolled Resource Consumption in promhttp

Impact

Affected Configuration

Patches

Workarounds

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI