Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
Description
Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-40577: Stored XSS in Alertmanager via POST /api/v1/alerts allows arbitrary JavaScript execution, fixed in v0.25.1.
Vulnerability
Overview
Alertmanager, a component that handles alerts from Prometheus and other clients, is vulnerable to a stored cross-site scripting (XSS) attack. The vulnerability resides in the /api/v1/alerts endpoint. An attacker with permission to send POST requests to this endpoint can inject arbitrary JavaScript code into alert data that will later be rendered in the Alertmanager UI. This issue has been fixed in Alertmanager version 0.25.1.
Attack
Vector and Prerequisites
An attacker must have the ability to perform authenticated POST requests to the /api/v1/alerts endpoint. No special network position is required beyond network access to the Alertmanager instance. The attack complexity is low, as the injected payload is simply included in the alert payload. User interaction is required because a victim must view the crafted alert in the UI for the script to execute. The scope is changed because the XSS affects the browser of the user, not the Alertmanager server itself.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session when they view the malicious alert. This can lead to session hijacking, theft of credentials or tokens, defacement of the UI, or further actions on behalf of the victim. The impact on confidentiality, integrity, and availability is considered high as the attacker can perform any action the user can.
Mitigation
The vulnerability is patched in Alertmanager version 0.25.1. Users are strongly advised to upgrade. No workarounds are provided in the advisory. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
References
[1] [2] [3]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/prometheus/alertmanagerGo | < 0.25.1 | 0.25.1 |
Affected products
65- osv-coords64 versionspkg:apk/chainguard/lokipkg:apk/chainguard/prometheuspkg:apk/chainguard/prometheus-2.38pkg:apk/chainguard/prometheus-2.45pkg:apk/chainguard/prometheus-2.45-bitnami-compatpkg:apk/chainguard/prometheus-admission-webhookpkg:apk/chainguard/prometheus-admission-webhook-compatpkg:apk/chainguard/prometheus-alertmanagerpkg:apk/chainguard/prometheus-config-reloaderpkg:apk/chainguard/prometheus-config-reloader-oci-entrypoint-compatpkg:apk/chainguard/prometheus-operatorpkg:apk/chainguard/promxy-fipspkg:apk/chainguard/tempo-2.3pkg:apk/chainguard/tempo-2.3-clipkg:apk/chainguard/tempo-2.3-querypkg:apk/chainguard/tempo-2.3-vulturepkg:apk/chainguard/thanos-0.31pkg:apk/chainguard/thanos-0.32pkg:apk/wolfi/lokipkg:apk/wolfi/prometheuspkg:apk/wolfi/prometheus-2.45pkg:apk/wolfi/prometheus-2.45-bitnami-compatpkg:apk/wolfi/prometheus-admission-webhookpkg:apk/wolfi/prometheus-admission-webhook-compatpkg:apk/wolfi/prometheus-alertmanagerpkg:apk/wolfi/prometheus-config-reloaderpkg:apk/wolfi/prometheus-config-reloader-oci-entrypoint-compatpkg:apk/wolfi/prometheus-operatorpkg:apk/wolfi/thanos-0.31pkg:apk/wolfi/thanos-0.32pkg:bitnami/alertmanagerpkg:golang/github.com/prometheus/alertmanagerpkg:rpm/opensuse/golang-github-prometheus-alertmanager&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Proxy%20Module%204.3pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-promu&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/kiwi-desc-saltboot&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/system-user-grafana&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/system-user-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2012-BETA
< 2.8.4-r5+ 63 more
- (no CPE)range: < 2.8.4-r5
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.45.3-r2
- (no CPE)range: < 2.45.3-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.26.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.3.1-r1
- (no CPE)range: < 2.3.1-r1
- (no CPE)range: < 2.3.1-r1
- (no CPE)range: < 2.3.1-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.8.4-r5
- (no CPE)range: < 0
- (no CPE)range: < 2.45.3-r2
- (no CPE)range: < 2.45.3-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.26.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 0.25.0, < 0.25.1
- (no CPE)range: < 0.25.1
- (no CPE)range: < 0.26.0-150100.4.19.1
- (no CPE)range: < 1.6-4.9.2
- (no CPE)range: < 1.0.0-1.21.2
- (no CPE)range: < 1.0.0-4.12.4
- (no CPE)range: < 0.26.0-150100.4.19.1
- (no CPE)range: < 0.26.0-1.24.2
- (no CPE)range: < 0.26.0-4.12.4
- (no CPE)range: < 0.26.0-150100.4.19.1
- (no CPE)range: < 0.26.0-150100.4.19.1
- (no CPE)range: < 1.5.0-4.15.4
- (no CPE)range: < 2.45.0-1.50.2
- (no CPE)range: < 2.45.0-4.33.3
- (no CPE)range: < 0.14.0-4.12.2
- (no CPE)range: < 0.4.0-4.6.2
- (no CPE)range: < 9.5.8-1.60.1
- (no CPE)range: < 9.5.8-4.21.2
- (no CPE)range: < 0.1.1687520761.cefb248-4.15.2
- (no CPE)range: < 4.3.8-1.44.2
- (no CPE)range: < 5.0.1-4.21.4
- (no CPE)range: < 0.24.0-3.6.3
- (no CPE)range: < 0.10.1-1.17.2
- (no CPE)range: < 0.10.1-3.6.4
- (no CPE)range: < 2.3.5-15.12.2
- (no CPE)range: < 5.0.1-24.30.3
- (no CPE)range: < 4.3.26-38.136.2
- (no CPE)range: < 5.0.1-41.42.3
- (no CPE)range: < 4.3.18-52.95.2
- (no CPE)range: < 1.2.2-9.9.2
- (no CPE)range: < 5.0.1-9.15.2
- (no CPE)range: < 1.0.0-3.7.2
- (no CPE)range: < 1.0.0-3.7.2
- (no CPE)range: < 5.0.1-3.33.3
- prometheus/alertmanagerv5Range: <= 0.25.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-v86x-5fm3-5p7jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-40577ghsaADVISORY
- github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7jghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2023/10/msg00011.htmlghsaWEB
News mentions
0No linked articles in our index yet.