Renovate: Update module github.com/prometheus/prometheus to v0.311.2 [SECURITY] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/prometheus/prometheus	v0.306.0 → v0.311.2

---

Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer

BIT-prometheus-2026-40179 / CVE-2026-40179 / GHSA-vffh-x6r8-xx99

More information

Details

Impact

Stored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:

• Old React UI + New Mantine UI: When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected into innerHTML without escaping, causing arbitrary script execution in the user's browser.
• Old React UI only: When a user opens the Metric Explorer (globe icon next to the PromQL expression input field), and a metric name containing HTML/JavaScript is rendered in the fuzzy search results, it is injected into innerHTML without escaping, causing arbitrary script execution in the user's browser.
• Old React UI only: When a user views a heatmap chart and hovers over a cell, the le label values of the underlying histogram buckets are interpolated into innerHTML without escaping. While le is conventionally a numeric bucket boundary, Prometheus does not enforce this — arbitrary UTF-8 strings are accepted as label values, allowing script injection via a crafted scrape target or remote write.

With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like <, >, and " are now valid in metric names and labels, making this exploitable.

An attacker who can inject metrics (via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the Graph UI. From the XSS context, an attacker could for example:

• Read /api/v1/status/config to extract sensitive configuration (although credentials / secrets are redacted by the server)
• Call /-/quit to shut down Prometheus (only if --web.enable-lifecycle is set)
• Call /api/v1/admin/tsdb/delete_series to delete data (only if --web.enable-admin-api is set)
• Exfiltrate metric data to an external server

Both the new Mantine UI and the old React UI are affected. The vulnerable code paths are:

• web/ui/mantine-ui/src/pages/query/uPlotChartHelpers.ts — tooltip innerHTML with unescaped labels.__name__
• web/ui/react-app/src/pages/graph/GraphHelpers.ts — tooltip content with unescaped labels.__name__
• web/ui/react-app/src/pages/graph/MetricsExplorer.tsx — fuzzy search results rendered via dangerouslySetInnerHTML without sanitization
• web/ui/react-app/src/vendor/flot/jquery.flot.heatmap.js — heatmap tooltip with unescaped label values

Patches

A patch has been published in Prometheus 3.5.2 LTS and Prometheus 3.11.2. The fix applies escapeHTML() to all user-controlled values (metric names and label values) before inserting them into innerHTML. This advisory will be updated with the patched version once released.

Workarounds

• If using the remote write receiver (--web.enable-remote-write-receiver), ensure it is not exposed to untrusted sources.
• If using the OTLP receiver (--web.enable-otlp-receiver), ensure it is not exposed to untrusted sources.
• Ensure scrape targets are trusted and not under attacker control.
• Do not enable admin / mutating API endpoints (e.g. --web.enable-admin-api or web.enable-lifecycle) in cases where you cannot prevent untrusted data from being ingested.
• Users should avoid clicking untrusted links, especially those containing functions such as label_replace, as they may generate poisoned label names and values.

Acknowledgements

Thanks to @​gladiator9797 (Duc Anh Nguyen from TinyxLab) for reporting this.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99
• https://nvd.nist.gov/vuln/detail/CVE-2026-40179
• https://github.com/prometheus/prometheus/pull/18506
• https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c
• https://github.com/prometheus/prometheus

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

prometheus/prometheus (github.com/prometheus/prometheus)

v0.311.2

Compare Source

v0.311.1

Compare Source

v0.311.0

Compare Source

v0.310.0

Compare Source

v0.309.1

Compare Source

v0.309.0

Compare Source

v0.308.1

Compare Source

v0.308.0

Compare Source

v0.307.3

Compare Source

v0.307.2

Compare Source

v0.307.1

Compare Source

v0.307.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go mod tidy
go: downloading github.com/stretchr/testify v1.11.1
go: downloading go.uber.org/goleak v1.3.0
go: downloading github.com/klauspost/compress v1.18.5
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/sergi/go-diff v1.4.0
go: downloading github.com/google/gofuzz v1.2.0
go: downloading github.com/gkampitakis/go-snaps v0.5.15
go: downloading github.com/joshdk/go-junit v1.0.0
go: downloading github.com/mfridman/tparse v0.18.0
go: downloading github.com/kylelemons/godebug v1.1.0
go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
go: downloading github.com/prashantv/gostub v1.1.0
go: downloading github.com/stretchr/objx v0.5.2
go: downloading github.com/gkampitakis/ciinfo v0.3.2
go: downloading github.com/gkampitakis/go-diff v1.3.2
go: downloading github.com/goccy/go-yaml v1.18.0
go: downloading github.com/kr/pretty v0.3.1
go: downloading github.com/maruel/natural v1.1.1
go: downloading github.com/tidwall/gjson v1.18.0
go: downloading github.com/tidwall/pretty v1.2.1
go: downloading github.com/evanphx/json-patch v0.5.2
go: downloading github.com/oklog/ulid/v2 v2.1.1
go: downloading github.com/go-openapi/testify/v2 v2.4.0
go: downloading github.com/tidwall/sjson v1.2.5
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/rogpeppe/go-internal v1.14.1
go: downloading github.com/tidwall/match v1.1.1
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b
go: downloading github.com/prometheus/client_golang/exp v0.0.0-20260325093428-d8591d0db856
go: downloading github.com/prometheus/otlptranslator v1.0.0
go: downloading github.com/prometheus/sigv4 v0.4.1
go: downloading github.com/bboreham/go-loser v0.0.0-20230920113527-fcc2c21820a3
go: downloading github.com/golang/snappy v1.0.0
go: downloading github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4
go: downloading github.com/go-openapi/testify/enable/yaml/v2 v2.0.2
go: downloading github.com/golang-jwt/jwt/v5 v5.3.1
go: downloading github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
go: downloading google.golang.org/api v0.272.0
go: downloading github.com/aws/aws-sdk-go-v2 v1.41.4
go: downloading github.com/aws/aws-sdk-go-v2/config v1.32.12
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.19.12
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.41.9
go: downloading golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa
go: downloading github.com/jpillora/backoff v1.0.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2
go: downloading github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0
go: downloading golang.org/x/crypto v0.49.0
go: downloading cloud.google.com/go/compute/metadata v0.9.0
go: downloading cloud.google.com/go/auth v0.18.2
go: downloading google.golang.org/grpc v1.79.3
go: downloading cloud.google.com/go/auth/oauth2adapt v0.2.8
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0
go: downloading github.com/aws/smithy-go v1.24.2
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20
go: downloading github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6
go: downloading github.com/aws/aws-sdk-go-v2/service/signin v1.0.8
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.30.13
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20
go: downloading github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
go: downloading github.com/googleapis/gax-go/v2 v2.18.0
go: downloading github.com/google/s2a-go v0.1.9
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading go.opentelemetry.io/otel v1.42.0
go: downloading go.opentelemetry.io/otel/metric v1.42.0
go: downloading go.opentelemetry.io/otel/trace v1.42.0
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.14
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260311181403-84a4fc48630c
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading go.opentelemetry.io/auto/sdk v1.2.1
go: finding module for package github.com/go-openapi/testify/v2/assert/yaml
go: downloading github.com/go-openapi/testify v0.0.0-20251001202347-e909893202bd
go: downloading github.com/go-openapi/testify/v2 v2.4.2
go: github.com/sapcc/absent-metrics-operator/controllers imports
	sigs.k8s.io/controller-runtime/pkg/client imports
	k8s.io/apimachinery/pkg/util/strategicpatch imports
	k8s.io/kube-openapi/pkg/validation/spec imports
	github.com/go-openapi/swag imports
	github.com/go-openapi/swag/loading tested by
	github.com/go-openapi/swag/loading.test imports
	github.com/go-openapi/testify/enable/yaml/v2 imports
	github.com/go-openapi/testify/v2/assert/yaml: module github.com/go-openapi/testify/v2@latest found (v2.4.2), but does not contain package github.com/go-openapi/testify/v2/assert/yaml

no

[majewsky]

@trouaux Do you want to take a look at this? As far as I can see, this can only be resolved by upgrading k8s.io/* dependencies, which I don't have experience with.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[trouaux]

• update method from prometheus api
  controllers/alert_rule.go

• go get github.com/go-openapi/swag@v0.26.0
  to fix some test dependency from upstream

• remove unused license BSD-2-Clause

go mod tidy
go mod vendor

@majewsky does this makes sense?

[github-actions]

Merging this branch will not change overall coverage

Impacted Packages	Coverage Δ	🤖
github.com/cloudoperators/absent-metrics-operator/controllers	0.00% (ø)

---

Coverage by file

Changed files (no unit tests)

Changed File	Coverage Δ	Total	Covered	Missed	🤖
github.com/cloudoperators/absent-metrics-operator/controllers/alert_rule.go	0.00% (ø)	0	0	0

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

[majewsky]

@majewsky does this makes sense?

Sorry, I was out last week. Please do proceed on your own volition.