Skip to content

InstrumentHandler* HTTP middleware prone to DoS through method label cardinality

Moderate
bwplotka published GHSA-cg3q-j54f-5p7p Feb 15, 2022

Package

gomod github.com/prometheus/client_golang/prometheus/promhttp (Go)

Affected versions

< 1.11.1

Patched versions

1.11.1

Description

Impact

HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.

Affected Configuration

In order to be affected, an instrumented software must

  • Use any of promhttp.InstrumentHandler* middleware except RequestsInFlight.
  • Do not filter any specific methods (e.g GET) before middleware.
  • Pass metric with method label name to our middleware.
  • Not have any firewall/LB/proxy that filters away requests with unknown method.

Patches

Workarounds

If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can:

  • Remove method label name from counter/gauge you use in the InstrumentHandler.
  • Turn off affected promhttp handlers.
  • Add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request.
  • Use a reverse proxy or web application firewall, configured to only allow a limited set of methods.

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2022-21698

Weaknesses

No CWEs

Credits