Primary

Context

Prometheus Memory Exhaustion Vulnerability in Remote Read Endpoint Allowing Denial-of-Service

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Prometheus versions prior to 3.5.3 and 3.11.3. The issue arises in the remote read endpoint (/api/v1/read), which fails to validate the declared decoded length of snappy-compressed request bodies before memory allocation. This oversight allows an unauthenticated attacker to send a small payload that triggers a significant heap allocation with each request. Under concurrent load, this can deplete available memory and cause the Prometheus process to crash.

Impact

Exploitation of this vulnerability can lead to excessive memory consumption, causing the Prometheus process to crash.

Remediation

Users can upgrade to Prometheus versions 3.5.3 or 3.11.3. For those unable to upgrade, it is recommended to place Prometheus behind a reverse proxy or firewall that requires authentication before requests reach the /api/v1/read endpoint.

Added: May 4, 2026, 7:24 PM

Updated: May 4, 2026, 7:24 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

8.0

remediation

7.9

relevance

7.4

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

8.0

remediation

7.9

relevance

7.4

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Prometheus Memory Exhaustion Vulnerability in Remote Read Endpoint Allowing Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

Prometheus

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating