Prometheus
v3.5.3ObservabilityPrometheus v3.5.3 is a security-only release patching four vulnerabilities: credential exposure, two snappy decompression bombs, and a stored XSS in the legacy UI.
securityRotate AzureAD client_secret immediately if /-/config was exposed
Any Prometheus instance using AzureAD remote write had its OAuth client_secret visible in plaintext at the /-/config endpoint. If that endpoint was reachable by untrusted users or scraped by monitoring tools, treat the secret as compromised. Rotate it in Azure AD, update your Prometheus config, and then upgrade to v3.5.3. After upgrading, restrict /-/config access via --web.enable-admin-api controls or a reverse proxy allowlist.
securityUpgrade now if you accept remote-read or remote-write from untrusted sources
Both remote-read and remote-write endpoints were vulnerable to decompression bomb attacks — a crafted snappy request with an inflated declared size could exhaust memory. If your Prometheus is internet-facing or accepts data from multiple tenants, this is a denial-of-service risk. Upgrade to v3.5.3 immediately. There is no config-level workaround; the fix is in the code.
securityPatch stored XSS if anyone uses the legacy UI with untrusted label values
The old UI heatmap rendered 'le' label values without escaping, allowing stored XSS. If your users browse the legacy UI and your metrics include 'le' labels sourced from external or user-controlled systems, malicious JavaScript could execute in their browsers. Upgrade to v3.5.3. As a short-term measure, direct users to the new UI instead.
主な変更 (4)
- CVE-2026-42151: AzureAD OAuth client_secret leaked in plaintext via /-/config endpoint
- CVE-2026-42154: Remote-read snappy decompression bomb — oversized declared decode length now rejected
- Remote-write snappy decompression bomb fixed with same decode limit enforcement (no separate CVE listed)
- Stored XSS via unescaped 'le' label values in legacy UI heatmap tick labels (GHSA-fw8g-cg8f-9j28)