{"uuid": "6d6d4ffb-e066-4f68-b5e5-13689611f23f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-FW8G-CG8F-9J28", "type": "seen", "source": "https://gist.github.com/alon710/732fb73007773b3c7944069ce75d1865", "content": "# GHSA-FW8G-CG8F-9J28: GHSA-FW8G-CG8F-9J28: Stored Cross-Site Scripting in Prometheus Legacy Web UI Heatmap\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/GHSA-FW8G-CG8F-9J28\n\n## Summary\nPrometheus versions prior to 3.11.3 contain a Stored Cross-Site Scripting (XSS) vulnerability in the legacy web UI's heatmap visualization component. An attacker can inject arbitrary JavaScript by providing malicious `le` (less-than-or-equal) bucket labels within scraped metrics. When an administrator views the heatmap in the legacy UI, the payload executes within their browser context, potentially leading to unauthorized configuration access or actions performed on behalf of the user.\n\n## TL;DR\nA stored XSS vulnerability in the Prometheus legacy web UI allows attackers to execute arbitrary JavaScript via maliciously crafted histogram bucket labels, affecting versions prior to 3.11.3.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79\n- **Attack Vector**: Network / Stored Ingestion\n- **CVSS Score**: 6.5 (Moderate)\n- **Impact**: Session Hijacking, Configuration Theft\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Prometheus Server\n- Prometheus Legacy Web UI (Old UI)\n- **Prometheus**: < 3.11.3 (Fixed in: `3.11.3`)\n\n## Mitigation\n\n- Upgrade Prometheus to version 3.11.3 or a validated patched branch.\n- Enforce usage of the modern Prometheus UI or an external tool like Grafana, bypassing the legacy Old UI.\n- Implement PromQL relabel_configs to drop or sanitize metrics with HTML characters in 'le' labels.\n\n**Remediation Steps:**\n1. Verify the currently deployed version of Prometheus using the `/api/v1/status/buildinfo` endpoint.\n2. Schedule a maintenance window to replace the Prometheus binary with version 3.11.3 or later.\n3. Restart the Prometheus service and verify successful startup and data ingestion.\n4. Audit historical metric data for anomalous `le` labels to identify potential past exploitation attempts.\n\n## References\n\n- [GitHub Security Advisory: GHSA-FW8G-CG8F-9J28](https://github.com/advisories/GHSA-FW8G-CG8F-9J28)\n- [Prometheus Pull Request #18588](https://github.com/prometheus/prometheus/pull/18588)\n- [Prometheus Fix Commit 38f23b9](https://github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d)\n- [Prometheus Release Notes](https://github.com/prometheus/prometheus/releases)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-FW8G-CG8F-9J28) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-05T22:10:29.000000Z"}