The Prometheus client_golang HTTP server is vulnerable to a denial of service attack when handling requests with non-standard HTTP methods.
In order to be affected, an instrumented software must use any of the promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass a metric with a "method" label name to a middleware; and not have any firewall/LB/proxy that filters away requests with unknown "method".
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0322" }
{ "imports": [ { "path": "github.com/prometheus/client_golang/prometheus/promhttp", "symbols": [ "Handler", "HandlerFor", "InstrumentHandlerCounter", "InstrumentHandlerDuration", "InstrumentHandlerRequestSize", "InstrumentHandlerResponseSize", "InstrumentHandlerTimeToWriteHeader", "InstrumentMetricHandler", "InstrumentRoundTripperCounter", "InstrumentRoundTripperDuration", "flusherDelegator.Flush", "readerFromDelegator.ReadFrom", "responseWriterDelegator.Write", "responseWriterDelegator.WriteHeader", "sanitizeMethod" ] } ] }