CVE-2024-28867

Name of the Vulnerable Software and Affected Versions Swift Prometheus versions prior to 2.0.0-alpha.2

Description The issue arises when un-sanitized string values are applied into metric names or labels, allowing an attacker to send a ?lang query parameter with newlines, } or similar characters. This can lead to the attacker taking over the exported format, including creating unbounded numbers of stored metrics, inflating server memory usage, or causing "bogus" metrics. Developers must validate user input before using it as metric names, label names, or values to prevent such attacks.

Recommendations For versions prior to 2.0.0-alpha.2, update to version 2.0.0-alpha.2 or later to fix the vulnerability. As a temporary workaround, consider validating label values and metric names to prevent malicious input. Developers can configure the PrometheusSanitizer to apply custom validation logic. For example, create a custom sanitizer:

let mySanitizer = PrometheusSanitizer { metricName, labels in
 // ... your logic here ...
 (metricName, labels)
}

Then, use this sanitizer when creating a PrometheusCollectorRegistry:

let registry = PrometheusCollectorRegistry(sanitizer: mySanitizer)