DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FW8G-CG8F-9J28: GHSA-FW8G-CG8F-9J28: Stored Cross-Site Scripting in Prometheus Legacy Web UI Heatmap

#security #cve #cybersecurity #ghsa

GHSA-FW8G-CG8F-9J28: Stored Cross-Site Scripting in Prometheus Legacy Web UI Heatmap

Vulnerability ID: GHSA-FW8G-CG8F-9J28
CVSS Score: 6.5
Published: 2026-05-05

Prometheus versions prior to 3.11.3 contain a Stored Cross-Site Scripting (XSS) vulnerability in the legacy web UI's heatmap visualization component. An attacker can inject arbitrary JavaScript by providing malicious le (less-than-or-equal) bucket labels within scraped metrics. When an administrator views the heatmap in the legacy UI, the payload executes within their browser context, potentially leading to unauthorized configuration access or actions performed on behalf of the user.

TL;DR

A stored XSS vulnerability in the Prometheus legacy web UI allows attackers to execute arbitrary JavaScript via maliciously crafted histogram bucket labels, affecting versions prior to 3.11.3.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network / Stored Ingestion
  • CVSS Score: 6.5 (Moderate)
  • Impact: Session Hijacking, Configuration Theft
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Prometheus Server
  • Prometheus Legacy Web UI (Old UI)
  • Prometheus: < 3.11.3 (Fixed in: 3.11.3)

Code Analysis

Commit: 38f23b9

Fix XSS vulnerability in legacy UI heatmap rendering by applying escapeHTML to y-axis tick formatter.

--- a/web/ui/react-app/src/pages/graph/Graph.tsx
+++ b/web/ui/react-app/src/pages/graph/Graph.tsx
@@ -24,6 +24,7 @@ import { escapeHTML } from '../../utils';
-options.yaxis.tickFormatter = (val) => `${val ? data[val - 1].labels.le : ''}`;
+options.yaxis.tickFormatter = (val) => `${val ? escapeHTML(data[val - 1].labels.le) : ''}`;
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Vulnerability Report: Proof of concept payload utilizing an image tag with an onerror event handler injected into the 'le' label of a histogram metric.

Mitigation Strategies

  • Upgrade Prometheus to version 3.11.3 or a validated patched branch.
  • Enforce usage of the modern Prometheus UI or an external tool like Grafana, bypassing the legacy Old UI.
  • Implement PromQL relabel_configs to drop or sanitize metrics with HTML characters in 'le' labels.

Remediation Steps:

  1. Verify the currently deployed version of Prometheus using the /api/v1/status/buildinfo endpoint.
  2. Schedule a maintenance window to replace the Prometheus binary with version 3.11.3 or later.
  3. Restart the Prometheus service and verify successful startup and data ingestion.
  4. Audit historical metric data for anomalous le labels to identify potential past exploitation attempts.

References

Read the full report for GHSA-FW8G-CG8F-9J28 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)