CVE-2022-21698 — Uncontrolled Resource Consumption in Prometheus Client Golang

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling CWE-772 — Missing Release of Resource after Effective Lifetime9 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 48.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Prometheus Client Golang Prometheus Client Golang Debian Golang-github-prometheus-client-golang +26 more

Timeline

PublishedFeb 15

Latest updateDec 3

Description

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `Re…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages28 packages

▶NVDprometheus/client_golang< 1.11.1

▶Gogithub.com/prometheus_client_golang< 1.11.1

▶debiandebian/golang-github-prometheus-client-golang< golang-github-prometheus-client-golang 1.11.1-1 (bookworm)

▶NVDfedoraproject/extra_packages7.0, 8.0+1

▶msrcmsrc/azl3_prometheus-process-exporter_0.8.2-1

Also affects: Fedora 34, 35, 36, 37

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Uncontrolled resource consumption in github.com/prometheus/client_golang↗2022-07-15

▶

GHSA

Uncontrolled Resource Consumption in promhttp↗2022-02-16

▶

OSV

Uncontrolled Resource Consumption in promhttp↗2022-02-16

▶

OSV

CVE-2022-21698: client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP↗2022-02-15

▶

📋Vendor Advisories

Red Hat

prometheus/client_golang: Denial of service using InstrumentHandlerCounter↗2022-02-15

▶

Microsoft

Uncontrolled Resource Consumption in promhttp↗2022-02-08

▶

Debian

CVE-2022-21698: golang-github-prometheus-client-golang - client_golang is the instrumentation library for Go applications in Prometheus, ...↗2022

▶

📄Research Papers

arXiv

A Comprehensive Study on the Impact of Vulnerable Dependencies on Open-Source Software↗2025-12-03

▶