Prometheus Stored Cross-Site Scripting Vulnerability in Web UI

A stored cross-site scripting vulnerability has been identified in Prometheus versions 3.0 prior to 3.5.1 and 3.6.0 prior to 3.11.1. This vulnerability exists in multiple components of the Prometheus web UI, where metric names and label values are injected into the innerHTML without proper escaping. In both the Mantine UI and the old React UI, chart tooltips on the Graph page render metric names containing HTML or JavaScript without sanitization. Additionally, the old React UI's Metric Explorer fuzzy search results and heatmap cell tooltips also lack proper label value sanitization. With Prometheus v3.x allowing unescaped characters in metric and label names, an attacker could exploit this vulnerability to execute arbitrary JavaScript in the browser of any user viewing the affected metric, potentially leading to configuration exfiltration, data deletion, or a shutdown of the Prometheus server, depending on the enabled flags.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the metric in the Prometheus web UI.

Remediation

Users can update to Prometheus versions 3.5.2 or 3.11.2, where this vulnerability has been patched. If an immediate update is not possible, it is recommended to ensure that the remote write and OTLP receivers are not exposed to untrusted sources, verify that all scrape targets are trusted, avoid enabling admin or mutating API endpoints in environments where untrusted data may be ingested, and refrain from clicking untrusted links that could generate poisoned label names and values.