Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
Description
Impact
In the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels.
An attacker who can inject crafted metrics (e.g. via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. From the XSS context, an attacker could for example:
- Read
/api/v1/status/configto extract sensitive configuration (although credentials / secrets are redacted by the server) - Call
/-/quitto shut down Prometheus (only if--web.enable-lifecycleis set) - Call
/api/v1/admin/tsdb/delete_seriesto delete data (only if--web.enable-admin-apiis set) - Exfiltrate metric data to an external server
Note that this only affects users who have explicitly enabled the legacy Prometheus web UI using the --enable-feature=old-ui command-line flag.
Patches
https://github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d
Workarounds
If at all possible, disable the legacy web UI by removing the --enable-feature=old-ui command-line flag).
If this is not an option, take the following precautions:
- If using the remote write receiver (
--web.enable-remote-write-receiver), ensure it is not exposed to untrusted sources. - If using the OTLP receiver (
--web.enable-otlp-receiver), ensure it is not exposed to untrusted sources. - Ensure scrape targets are trusted and not under attacker control.
- Do not enable admin / mutating API endpoints (e.g.
--web.enable-admin-apiorweb.enable-lifecycle) in cases where you cannot prevent untrusted data from being ingested. - Users should avoid clicking untrusted links, especially those containing functions such as
label_replace, as they may generate poisoned label names and values.
References
- CVE-2019-10215 — prior stored DOM XSS vulnerability in Prometheus query history, fixed in v2.7.2
- CVE-2026-40179 — prior stored DOM XSS vulnerability in Prometheus web UI (hover tooltips and metrics explorer), fixed in v3.11.2
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/prometheus/prometheusGo | < 0.311.3 | 0.311.3 |
Affected products
1- Range: < 0.311.3
Patches
138f23b9075ceui: fix stored XSS in old UI heatmap chart tick labels
1 file changed · +2 −1
web/ui/react-app/src/pages/graph/Graph.tsx+2 −1 modified@@ -10,6 +10,7 @@ import { Button } from 'reactstrap'; import { FontAwesomeIcon } from '@fortawesome/react-fontawesome'; import { faTimes } from '@fortawesome/free-solid-svg-icons'; import { GraphDisplayMode } from './Panel'; +import { escapeHTML } from '../../utils'; require('../../vendor/flot/jquery.flot'); require('../../vendor/flot/jquery.flot.stack'); @@ -151,7 +152,7 @@ class Graph extends PureComponent<GraphProps, GraphState> { if (options.yaxis && isHeatmap) { options.yaxis.ticks = () => new Array(data.length + 1).fill(0).map((_el, i) => i); - options.yaxis.tickFormatter = (val) => `${val ? data[val - 1].labels.le : ''}`; + options.yaxis.tickFormatter = (val) => `${val ? escapeHTML(data[val - 1].labels.le) : ''}`; options.yaxis.min = 0; options.yaxis.max = data.length; options.series.lines = { show: false };
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
3- How Cloudflare responded to the “Copy Fail” Linux vulnerabilityCloudflare Blog · May 7, 2026
- The AI engineering stack we built internally — on the platform we shipCloudflare Blog · Apr 20, 2026
- Orchestrating AI Code Review at scaleCloudflare Blog · Apr 20, 2026