Scraparr Readarr Integration API Key Exposure Vulnerability
Vulnerability
A vulnerability in Scraparr, a Prometheus exporter for the *arr Suite, allows for the exposure of Readarr API keys in metric labels. This issue affects versions 3.0.0-beta prior to 3.0.2. The vulnerability arises when the Readarr integration is enabled without a custom alias, the exporter's /metrics endpoint is accessible to external or unauthorized users, and the Readarr instance is externally reachable. Under these conditions, the Readarr API key could be leaked through the exported metrics.
Impact
Exposing the Readarr API key in Prometheus metrics could lead to unauthorized access to the Readarr instance, allowing for potential manipulation or retrieval of sensitive data.
Remediation
Users should upgrade to Scraparr version 3.0.2 or later, where this vulnerability has been fixed by removing API keys from metric label values. If an immediate upgrade is not possible, users should restrict external access to their Readarr instance and protect the /metrics endpoint with authentication or bind it to localhost.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.