Bwplotka

**Name of the Vulnerable Software and Affected Versions** client golang versions prior to 1.11.1 **Description** The HTTP server in client golang is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. To be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`, not filter any specific methods before middleware, pass metric with `method` label name to the middleware, and not have any firewall/LB/proxy that filters away requests with unknown `method`. **Recommendations** For client golang versions prior to 1.11.1, update to version 1.11.1 or later to resolve the issue. As a temporary workaround, consider removing the `method` label name from counter/gauge used in the InstrumentHandler. Alternatively, turn off affected promhttp handlers or add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request. Using a reverse proxy or web application firewall, configured to only allow a limited set of methods, can also help mitigate the issue.