Prometheus Legacy Web UI Heatmap Chart Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Prometheus server's legacy web UI, specifically in versions 2.49.0 prior to 3.5.3 and 3.11.3. When the heatmap chart view is used, the histogram bucket label values are not properly escaped before being inserted into the HTML as axis tick mark labels. This flaw allows an attacker who can inject crafted metrics to execute JavaScript in the browser of any user viewing the heatmap chart. The vulnerability is present when the legacy web UI is enabled via the command-line flag '--enable-feature=old-ui'.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the heatmap chart.

Remediation

Users can update to Prometheus versions 3.5.3 or 3.11.3, where this vulnerability has been patched. If an immediate update is not possible, the legacy web UI can be disabled by removing the '--enable-feature=old-ui' command-line flag. For users who must keep the old UI enabled, it is recommended to ensure that scrape targets are trusted and not under attacker control, and to avoid clicking untrusted links that could inject malicious label data.