CVE-2022-21698: CWE-400: Uncontrolled Resource Consumption in prometheus client_golang
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
AI Analysis
Technical Summary
CVE-2022-21698 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the Prometheus client library for Go applications, specifically the client_golang package prior to version 1.11.1. Prometheus is a widely used open-source monitoring and alerting toolkit, and client_golang is its instrumentation library for Go applications. The vulnerability resides in the promhttp package, which provides HTTP server and client tooling. The issue arises when the HTTP server, instrumented with promhttp middleware such as InstrumentHandler*, processes requests containing non-standard or unexpected HTTP methods. If the instrumented software uses any InstrumentHandler* middleware except RequestsInFlight, does not filter HTTP methods before the middleware, uses a metric with a 'method' label, and lacks upstream filtering (e.g., via firewall, load balancer, or proxy), an attacker can send crafted requests with arbitrary HTTP methods. This leads to unbounded cardinality in the metrics, causing excessive memory consumption and potential Denial of Service (DoS) due to resource exhaustion. The vulnerability is exploitable without authentication and does not require user interaction, making it accessible to unauthenticated remote attackers. The issue was patched in client_golang version 1.11.1. Workarounds include removing the 'method' label from metrics, disabling affected promhttp handlers, sanitizing HTTP methods via custom middleware before promhttp handlers, or deploying reverse proxies or web application firewalls configured to restrict allowed HTTP methods. No known exploits have been reported in the wild to date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to services and applications instrumented with vulnerable versions of client_golang that expose HTTP endpoints using promhttp middleware with the 'method' label in metrics. Successful exploitation can lead to Denial of Service through memory exhaustion, impacting the availability of critical monitoring infrastructure or the applications themselves. This can degrade operational visibility, delay incident response, and potentially cause cascading failures in dependent systems. Organizations relying on Prometheus for monitoring cloud-native or containerized environments, microservices, or internal tooling are particularly at risk. The impact is heightened in environments where no upstream filtering or method validation is enforced, allowing attackers to send crafted requests freely. While the vulnerability does not directly compromise confidentiality or integrity, the loss of availability in monitoring systems can indirectly affect security posture and operational continuity. Given the widespread adoption of Prometheus and Go in European tech sectors, especially in financial services, telecommunications, and public infrastructure, the threat is relevant and warrants attention.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Upgrade client_golang to version 1.11.1 or later to apply the official patch. 2) Audit all Go applications using Prometheus instrumentation to identify usage of promhttp middleware with the 'method' label and assess exposure. 3) Remove or rename the 'method' label in metrics counters and gauges used with InstrumentHandler* middleware to prevent unbounded cardinality. 4) Implement custom middleware to sanitize and validate HTTP methods before requests reach promhttp handlers, rejecting or normalizing non-standard methods. 5) Deploy and configure reverse proxies, load balancers, or web application firewalls to restrict allowed HTTP methods to a known safe subset (e.g., GET, POST, PUT, DELETE) and block unknown or non-standard methods. 6) Monitor memory usage and cardinality metrics of Prometheus instrumentation to detect anomalous spikes indicative of exploitation attempts. 7) Incorporate this vulnerability into incident response and vulnerability management workflows to ensure timely detection and remediation. These steps go beyond generic advice by focusing on specific code-level changes, middleware adjustments, and network-layer filtering tailored to the vulnerability's exploitation vector.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Switzerland
CVE-2022-21698: CWE-400: Uncontrolled Resource Consumption in prometheus client_golang
Description
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
AI-Powered Analysis
Technical Analysis
CVE-2022-21698 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the Prometheus client library for Go applications, specifically the client_golang package prior to version 1.11.1. Prometheus is a widely used open-source monitoring and alerting toolkit, and client_golang is its instrumentation library for Go applications. The vulnerability resides in the promhttp package, which provides HTTP server and client tooling. The issue arises when the HTTP server, instrumented with promhttp middleware such as InstrumentHandler*, processes requests containing non-standard or unexpected HTTP methods. If the instrumented software uses any InstrumentHandler* middleware except RequestsInFlight, does not filter HTTP methods before the middleware, uses a metric with a 'method' label, and lacks upstream filtering (e.g., via firewall, load balancer, or proxy), an attacker can send crafted requests with arbitrary HTTP methods. This leads to unbounded cardinality in the metrics, causing excessive memory consumption and potential Denial of Service (DoS) due to resource exhaustion. The vulnerability is exploitable without authentication and does not require user interaction, making it accessible to unauthenticated remote attackers. The issue was patched in client_golang version 1.11.1. Workarounds include removing the 'method' label from metrics, disabling affected promhttp handlers, sanitizing HTTP methods via custom middleware before promhttp handlers, or deploying reverse proxies or web application firewalls configured to restrict allowed HTTP methods. No known exploits have been reported in the wild to date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to services and applications instrumented with vulnerable versions of client_golang that expose HTTP endpoints using promhttp middleware with the 'method' label in metrics. Successful exploitation can lead to Denial of Service through memory exhaustion, impacting the availability of critical monitoring infrastructure or the applications themselves. This can degrade operational visibility, delay incident response, and potentially cause cascading failures in dependent systems. Organizations relying on Prometheus for monitoring cloud-native or containerized environments, microservices, or internal tooling are particularly at risk. The impact is heightened in environments where no upstream filtering or method validation is enforced, allowing attackers to send crafted requests freely. While the vulnerability does not directly compromise confidentiality or integrity, the loss of availability in monitoring systems can indirectly affect security posture and operational continuity. Given the widespread adoption of Prometheus and Go in European tech sectors, especially in financial services, telecommunications, and public infrastructure, the threat is relevant and warrants attention.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Upgrade client_golang to version 1.11.1 or later to apply the official patch. 2) Audit all Go applications using Prometheus instrumentation to identify usage of promhttp middleware with the 'method' label and assess exposure. 3) Remove or rename the 'method' label in metrics counters and gauges used with InstrumentHandler* middleware to prevent unbounded cardinality. 4) Implement custom middleware to sanitize and validate HTTP methods before requests reach promhttp handlers, rejecting or normalizing non-standard methods. 5) Deploy and configure reverse proxies, load balancers, or web application firewalls to restrict allowed HTTP methods to a known safe subset (e.g., GET, POST, PUT, DELETE) and block unknown or non-standard methods. 6) Monitor memory usage and cardinality metrics of Prometheus instrumentation to detect anomalous spikes indicative of exploitation attempts. 7) Incorporate this vulnerability into incident response and vulnerability management workflows to ensure timely detection and remediation. These steps go beyond generic advice by focusing on specific code-level changes, middleware adjustments, and network-layer filtering tailored to the vulnerability's exploitation vector.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2021-11-16T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9842c4522896dcbf2450
Added to database: 5/21/2025, 9:09:22 AM
Last enriched: 6/23/2025, 5:33:32 PM
Last updated: 8/14/2025, 8:30:34 PM
Views: 21
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.