CVE-2022-21698: Denial of Service vulnerability in client

What is CVE-2022-21698 About?

This vulnerability in the Go client library for Prometheus (client_golang) leads to a Denial of Service through unbounded cardinality. It occurs when handling HTTP requests with non-standard methods, potentially causing memory exhaustion. Exploitation relies on specific configurations and the ability to send requests with arbitrary HTTP methods.

Affected Software

github.com/prometheus/client_golang <1.11.1

Technical Details

The promhttp package in client_golang (Go client library for Prometheus) is susceptible to a Denial of Service. When promhttp.InstrumentHandler* middleware (excluding RequestsInFlight) is used and a metric with a 'method' label name is passed, the system is vulnerable. If an instrumented server accepts requests with arbitrary or non-standard HTTP methods without filtering them, each unique method creates a new series in Prometheus, leading to unbounded cardinality. This can cause excessive memory consumption and ultimately result in a Denial of Service due to memory exhaustion.

What is the Impact of CVE-2022-21698?

Successful exploitation may allow attackers to cause a denial-of-service condition, making the Prometheus-instrumented application or server unavailable due to excessive memory usage.

What is the Exploitability of CVE-2022-21698?

Exploitation requires multiple specific configuration prerequisites: the use of promhttp.InstrumentHandler* middleware (excluding RequestsInFlight), the passage of a metric with a method label name to the middleware, and the absence of method filtering before the middleware or by upstream proxies/firewalls. The complexity is low for an attacker who can send HTTP requests with arbitrary method names to the vulnerable endpoint. No authentication or specific privileges are required for an attacker to send these requests. This is a remote vulnerability, as attackers can trigger it by sending network requests. The primary risk factor that increases exploitation likelihood is any exposed Prometheus-instrumented endpoint that does not sufficiently filter or sanitize HTTP method inputs.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2022-21698?

A Fix by Resolved Security Exists!

Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

This patch restricts the set of accepted HTTP method and status code values when populating Prometheus metric labels, mapping any unrecognized methods or out-of-range status codes to "unknown," and adds explicit mechanisms to configure additional accepted methods. This prevents attackers from injecting arbitrary method or status code values to create unbounded, attacker-controlled label cardinality, fixing the root cause of CVE-2022-21698 (uncontrolled label growth leading to memory exhaustion or potential denial-of-service in Prometheus metrics).

Available Upgrade Options

github.com/prometheus/client_golang
- <1.11.1 → Upgrade to 1.11.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-21698?

Similar Vulnerabilities: CVE-2018-1000007 , CVE-2021-39180 , CVE-2023-38891 , CVE-2021-29490 , CVE-2020-26279

CVE-2022-21698 Denial of Service vulnerability in client_golang (Go)