CGA-93vr-4696-924c
Denial of Service vulnerability in client_golang (Go)
What is CGA-93vr-4696-924c About?
This vulnerability in the Go client library for Prometheus (client_golang) leads to a Denial of Service through unbounded cardinality. It occurs when handling HTTP requests with non-standard methods, potentially causing memory exhaustion. Exploitation relies on specific configurations and the ability to send requests with arbitrary HTTP methods.
Affected Software
Technical Details
The promhttp package in client_golang (Go client library for Prometheus) is susceptible to a Denial of Service. When promhttp.InstrumentHandler* middleware (excluding RequestsInFlight) is used and a metric with a 'method' label name is passed, the system is vulnerable. If an instrumented server accepts requests with arbitrary or non-standard HTTP methods without filtering them, each unique method creates a new series in Prometheus, leading to unbounded cardinality. This can cause excessive memory consumption and ultimately result in a Denial of Service due to memory exhaustion.
What is the Impact of CGA-93vr-4696-924c?
Successful exploitation may allow attackers to cause a denial-of-service condition, making the Prometheus-instrumented application or server unavailable due to excessive memory usage.
What is the Exploitability of CGA-93vr-4696-924c?
Exploitation requires multiple specific configuration prerequisites: the use of promhttp.InstrumentHandler* middleware (excluding RequestsInFlight), the passage of a metric with a method label name to the middleware, and the absence of method filtering before the middleware or by upstream proxies/firewalls. The complexity is low for an attacker who can send HTTP requests with arbitrary method names to the vulnerable endpoint. No authentication or specific privileges are required for an attacker to send these requests. This is a remote vulnerability, as attackers can trigger it by sending network requests. The primary risk factor that increases exploitation likelihood is any exposed Prometheus-instrumented endpoint that does not sufficiently filter or sanitize HTTP method inputs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-93vr-4696-924c?
About the Fix from Resolved Security
Available Upgrade Options
- github.com/prometheus/client_golang
- <1.11.1 → Upgrade to 1.11.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/prometheus/client_golang/pull/962
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBMVIQFKQDSSTHVVJWJ4QH6TW3JVB7XZ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKORFJTRRDJCWBTJPISKKCVMMMJBIRLG
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5OGNAFVXSMTTT2UPH6CS3IH6L3KM42Q7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V7I72LSQ3IET3QJR6QPAVGJZ4CBDLN5
What are Similar Vulnerabilities to CGA-93vr-4696-924c?
Similar Vulnerabilities: CVE-2018-1000007 , CVE-2021-39180 , CVE-2023-38891 , CVE-2021-29490 , CVE-2020-26279
