Tag

Prometheus

3 briefs RSS

OpenTelemetry Prometheus Exporter Denial-of-Service via Malformed HTTP Request (CVE-2026-44902)

A malformed HTTP request can crash any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint has no error handling around URL parsing, so a request with an invalid URI causes an uncaught `TypeError` that terminates the process, leading to a denial of service. Update `@opentelemetry/exporter-prometheus` and `@opentelemetry/sdk-node` to version **0.217.0** or later and `@opentelemetry/auto-instrumentations-node` to version **0.75.0** or later to remediate.

@opentelemetry/exporter-prometheus +2 denial-of-service otel prometheus CVE-2026-44902

2r 1t May 11, 2026

medium advisory

Prometheus Remote Read Endpoint Denial-of-Service Vulnerability

2 rules 1 TTP 1 CVE

The Prometheus remote read endpoint is vulnerable to denial of service due to a missing validation of the declared decoded length in snappy-compressed request bodies, allowing unauthenticated attackers to exhaust memory resources.

go/github.com/prometheus/prometheus denial-of-service prometheus snappy

2r 1t 1c May 5, 2026

high threat

Multiple Vulnerabilities in Prometheus Allow for DoS, Information Disclosure, and XSS

2 rules 2 TTPs

Multiple vulnerabilities in Prometheus could allow an attacker to perform a Denial of Service attack, disclose sensitive information, or execute Cross-Site Scripting attacks.

Prometheus vulnerability denial-of-service information-disclosure cross-site-scripting

2r 2t May 5, 2026