{"id":"GO-2022-0322","summary":"Uncontrolled resource consumption in github.com/prometheus/client_golang","details":"The Prometheus client_golang HTTP server is vulnerable to a denial of service attack when handling requests with non-standard HTTP methods.\n\nIn order to be affected, an instrumented software must use any of the promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass a metric with a \"method\" label name to a middleware; and not have any firewall/LB/proxy that filters away requests with unknown \"method\".","aliases":["CVE-2022-21698","GHSA-cg3q-j54f-5p7p"],"modified":"2026-02-04T02:57:44.554914Z","published":"2022-07-15T23:29:02Z","related":["CGA-8xhp-794r-624p","CVE-2023-25151","CVE-2023-45142","GHSA-5r5m-65gx-7vrh","GHSA-rcjv-mgp8-qvmr"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0322","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/prometheus/client_golang/pull/962"}],"affected":[{"package":{"name":"github.com/prometheus/client_golang","ecosystem":"Go","purl":"pkg:golang/github.com/prometheus/client_golang"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.11.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["Handler","HandlerFor","InstrumentHandlerCounter","InstrumentHandlerDuration","InstrumentHandlerRequestSize","InstrumentHandlerResponseSize","InstrumentHandlerTimeToWriteHeader","InstrumentMetricHandler","InstrumentRoundTripperCounter","InstrumentRoundTripperDuration","flusherDelegator.Flush","readerFromDelegator.ReadFrom","responseWriterDelegator.Write","responseWriterDelegator.WriteHeader","sanitizeMethod"],"path":"github.com/prometheus/client_golang/prometheus/promhttp"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0322.json"}}],"schema_version":"1.7.3"}