Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
AnalysisAI
Memory exhaustion in Prometheus remote read endpoint allows unauthenticated attackers to crash the monitoring server via maliciously crafted snappy-compressed payloads. The /api/v1/read endpoint in versions prior to 3.5.3 and 3.11.3 accepts compressed request bodies without validating the declared decoded length, enabling a 5-byte payload claiming 256 MiB decoded size to trigger massive heap allocations. Concurrent requests can exhaust memory and crash the Prometheus process. EPSS data not provided; no evidence of active exploitation (not in CISA KEV). Vendor-released patches available in versions 3.5.3 and 3.11.3.
Technical ContextAI
Prometheus is a widely-deployed open-source monitoring and time series database system, commonly used in cloud-native and Kubernetes environments. The vulnerability resides in the remote read API endpoint (/api/v1/read), which accepts snappy-compressed protocol buffer requests for querying time series data. Snappy compression uses a stream format with a header declaring the decoded length before the actual compressed data. The flaw is a classic CWE-400 (Uncontrolled Resource Consumption) issue where the server trusts the client-supplied decoded length header without validation, allowing an attacker to send a tiny compressed payload (as small as 5 bytes) claiming a massive decoded size (e.g., 256 MiB). The vulnerable code path in storage/remote/codec.go's DecodeReadRequest() function allocates memory based on this untrusted header before decompression occurs. The fix implements a 32 MiB limit check (decodeReadLimit) on the declared decoded length using snappy.DecodedLen() before any memory allocation, rejecting payloads exceeding the threshold.
RemediationAI
Upgrade immediately to Prometheus version 3.5.3 or 3.11.3 depending on your release track (see https://github.com/prometheus/prometheus/releases/tag/v3.5.3 and https://github.com/prometheus/prometheus/releases/tag/v3.11.3). These versions implement decoded-length validation with a 32 MiB limit before memory allocation. If immediate patching is not feasible, implement network-level access controls: restrict /api/v1/read endpoint access to trusted internal networks only using firewall rules or reverse proxy ACLs; disable remote read functionality entirely if federated queries are not required (remove --web.enable-remote-read flag or equivalent configuration). Rate limiting at the reverse proxy/load balancer can reduce concurrent request impact but does not eliminate the vulnerability. Monitor memory usage closely for anomalies. Each mitigation has trade-offs: network restrictions may break legitimate federated monitoring; disabling remote read eliminates long-term storage query functionality; rate limiting adds operational complexity and may impact legitimate high-throughput queries.
More in Prometheus
View allUnsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject
Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, whi
Prometheus monitoring system exposes Azure AD OAuth client secrets in plaintext via its /-/config HTTP API endpoint. Ver
Prometheus is an open-source monitoring system and time series database. Rated medium severity (CVSS 6.1), this vulnerab
Scraparr versions 3.0.0-beta through 3.0.1 expose Readarr API keys in plaintext through the /metrics endpoint when the R
Denial of Service in Prometheus and Kibana metricsets can be triggered by sending specially crafted malformed payloads t
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. Rated medium severity
Stored cross-site scripting in Prometheus versions 2.49.0 through 3.5.2/3.11.2 allows a low-privileged attacker who can
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools for SLE 15 | Fixed |
| SUSE Multi-Linux Manager Client Tools for SLE 15 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Proxy Module 4.3 | Fixed |
| SUSE Enterprise Storage 6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Manager Proxy Module 4.1 | Fixed |
| SUSE Manager Proxy Module 4.2 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27091
GHSA-8rm2-7qqf-34qm