Jonas Dörr

**Name of the Vulnerable Software and Affected Versions** Swift Prometheus versions prior to 2.0.0-alpha.2 **Description** The issue arises when un-sanitized string values are applied into metric names or labels, allowing an attacker to send a `?lang` query parameter with newlines, `}` or similar characters. This can lead to the attacker taking over the exported format, including creating unbounded numbers of stored metrics, inflating server memory usage, or causing "bogus" metrics. Developers must validate user input before using it as metric names, label names, or values to prevent such attacks. **Recommendations** For versions prior to 2.0.0-alpha.2, update to version 2.0.0-alpha.2 or later to fix the vulnerability. As a temporary workaround, consider validating label values and metric names to prevent malicious input. Developers can configure the `PrometheusSanitizer` to apply custom validation logic. For example, create a custom sanitizer: ```swift let mySanitizer = PrometheusSanitizer { metricName, labels in // ... your logic here ... (metricName, labels) } ``` Then, use this sanitizer when creating a `PrometheusCollectorRegistry`: ```swift let registry = PrometheusCollectorRegistry(sanitizer: mySanitizer) ```