build(deps): update module github.com/prometheus/prometheus to v0.311.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/prometheus/prometheus	v0.305.0 → v0.311.2

GitHub Vulnerability Alerts

CVE-2026-40179

Impact

Stored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:

• Old React UI + New Mantine UI: When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected into innerHTML without escaping, causing arbitrary script execution in the user's browser.
• Old React UI only: When a user opens the Metric Explorer (globe icon next to the PromQL expression input field), and a metric name containing HTML/JavaScript is rendered in the fuzzy search results, it is injected into innerHTML without escaping, causing arbitrary script execution in the user's browser.
• Old React UI only: When a user views a heatmap chart and hovers over a cell, the le label values of the underlying histogram buckets are interpolated into innerHTML without escaping. While le is conventionally a numeric bucket boundary, Prometheus does not enforce this — arbitrary UTF-8 strings are accepted as label values, allowing script injection via a crafted scrape target or remote write.

With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like <, >, and " are now valid in metric names and labels, making this exploitable.

An attacker who can inject metrics (via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the Graph UI. From the XSS context, an attacker could for example:

• Read /api/v1/status/config to extract sensitive configuration (although credentials / secrets are redacted by the server)
• Call /-/quit to shut down Prometheus (only if --web.enable-lifecycle is set)
• Call /api/v1/admin/tsdb/delete_series to delete data (only if --web.enable-admin-api is set)
• Exfiltrate metric data to an external server

Both the new Mantine UI and the old React UI are affected. The vulnerable code paths are:

• web/ui/mantine-ui/src/pages/query/uPlotChartHelpers.ts — tooltip innerHTML with unescaped labels.__name__
• web/ui/react-app/src/pages/graph/GraphHelpers.ts — tooltip content with unescaped labels.__name__
• web/ui/react-app/src/pages/graph/MetricsExplorer.tsx — fuzzy search results rendered via dangerouslySetInnerHTML without sanitization
• web/ui/react-app/src/vendor/flot/jquery.flot.heatmap.js — heatmap tooltip with unescaped label values

Patches

A patch has been published in Prometheus 3.5.2 LTS and Prometheus 3.11.2. The fix applies escapeHTML() to all user-controlled values (metric names and label values) before inserting them into innerHTML. This advisory will be updated with the patched version once released.

Workarounds

• If using the remote write receiver (--web.enable-remote-write-receiver), ensure it is not exposed to untrusted sources.
• If using the OTLP receiver (--web.enable-otlp-receiver), ensure it is not exposed to untrusted sources.
• Ensure scrape targets are trusted and not under attacker control.
• Do not enable admin / mutating API endpoints (e.g. --web.enable-admin-api or web.enable-lifecycle) in cases where you cannot prevent untrusted data from being ingested.
• Users should avoid clicking untrusted links, especially those containing functions such as label_replace, as they may generate poisoned label names and values.

Acknowledgements

Thanks to @​gladiator9797 (Duc Anh Nguyen from TinyxLab) for reporting this.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

---

Release Notes

prometheus/prometheus (github.com/prometheus/prometheus)

v0.311.2

Compare Source

v0.311.1

Compare Source

v0.311.0

Compare Source

v0.310.0

Compare Source

v0.309.1

Compare Source

v0.309.0

Compare Source

v0.308.1

Compare Source

v0.308.0

Compare Source

v0.307.3

Compare Source

v0.307.2

Compare Source

v0.307.1

Compare Source

v0.307.0

Compare Source

v0.306.0

Compare Source

v0.305.2

Compare Source

v0.305.1

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go mod tidy
go: downloading github.com/alecthomas/assert/v2 v2.6.0
go: downloading github.com/alecthomas/repr v0.4.0
go: downloading go.uber.org/goleak v1.3.0
go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
go: downloading github.com/hexops/gotextdiff v1.0.3
go: downloading gonum.org/v1/gonum v0.17.0
go: downloading github.com/zeebo/assert v1.3.0
go: downloading go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0
go: downloading github.com/fullstorydev/emulators/storage v0.0.0-20240401123056-edc69752f474
go: downloading github.com/efficientgo/e2e v0.13.1-0.20220922081603-45de9fc588a8
go: downloading github.com/prashantv/gostub v1.1.0
go: downloading github.com/asaskevich/govalidator v0.0.0-20200108200545-475eaeb16496
go: downloading github.com/xyproto/randomstring v1.0.5
go: downloading github.com/opentracing/opentracing-go v1.2.0
go: downloading github.com/kr/pretty v0.3.1
go: downloading github.com/dgryski/go-farm v0.0.0-20240924180020-3414d57e47da
go: downloading github.com/gin-gonic/gin v1.9.1
go: downloading github.com/gobwas/ws v1.2.1
go: downloading github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.55.0
go: downloading cloud.google.com/go/longrunning v0.8.0
go: downloading github.com/bluele/gcache v0.0.2
go: downloading github.com/google/btree v1.1.3
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2
go: downloading github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1
go: downloading github.com/hashicorp/consul/sdk v0.16.1
go: downloading github.com/hashicorp/go-uuid v1.0.3
go: downloading github.com/jarcoal/httpmock v1.4.1
go: downloading gotest.tools/v3 v3.5.1
go: downloading github.com/shoenig/test v1.12.2
go: downloading github.com/maxatome/go-testdeep v1.12.0
go: downloading gopkg.in/dnaeon/go-vcr.v4 v4.0.6
go: downloading github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/rogpeppe/go-internal v1.14.1
go: downloading github.com/google/gofuzz v1.2.0
go: downloading github.com/gin-contrib/sse v0.1.0
go: downloading github.com/gobwas/httphead v0.1.0
go: downloading github.com/gobwas/pool v0.2.1
go: downloading cloud.google.com/go/logging v1.13.2
go: downloading cloud.google.com/go/trace v1.11.7
go: downloading github.com/envoyproxy/go-control-plane v0.14.0
go: downloading github.com/google/martian/v3 v3.3.3
go: downloading github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1
go: downloading github.com/hashicorp/go-version v1.8.0
go: downloading github.com/hashicorp/go-msgpack v0.5.5
go: downloading github.com/hashicorp/memberlist v0.5.0
go: downloading github.com/stretchr/objx v0.5.2
go: downloading github.com/containerd/log v0.1.0
go: downloading go.yaml.in/yaml/v4 v4.0.0-rc.4
go: downloading github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0
go: downloading github.com/satori/go.uuid v1.2.1-0.20181028125025-b2ce2384e17b
go: downloading github.com/go-playground/validator/v10 v10.14.0
go: downloading github.com/pelletier/go-toml/v2 v2.0.8
go: downloading github.com/ugorji/go/codec v1.2.11
go: downloading github.com/ugorji/go v1.1.7
go: downloading github.com/bytedance/sonic v1.9.1
go: downloading github.com/envoyproxy/go-control-plane/ratelimit v0.1.0
go: downloading github.com/keybase/go-keychain v0.0.1
go: downloading github.com/pascaldekloe/goe v0.1.0
go: downloading github.com/hashicorp/go-sockaddr v1.0.2
go: downloading github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529
go: downloading github.com/onsi/ginkgo/v2 v2.27.2
go: downloading github.com/onsi/ginkgo v1.7.0
go: downloading github.com/onsi/gomega v1.38.2
go: downloading github.com/moby/sys/atomicwriter v0.1.0
go: downloading github.com/sirupsen/logrus v1.9.4
go: downloading github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b
go: downloading github.com/prometheus/client_golang/exp v0.0.0-20260325093428-d8591d0db856
go: downloading github.com/prometheus/otlptranslator v1.0.0
go: downloading github.com/prometheus/sigv4 v0.4.1
go: downloading github.com/bboreham/go-loser v0.0.0-20230920113527-fcc2c21820a3
go: downloading github.com/gabriel-vasile/mimetype v1.4.2
go: downloading github.com/go-playground/universal-translator v0.18.1
go: downloading github.com/leodido/go-urn v1.2.4
go: downloading github.com/go-openapi/testify/v2 v2.4.0
go: downloading github.com/moby/sys/sequential v0.6.0
go: downloading github.com/go-playground/locales v0.14.1
go: downloading github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311
go: downloading golang.org/x/arch v0.11.0
go: downloading github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4
go: downloading github.com/go-openapi/testify/enable/yaml/v2 v2.0.2
go: downloading github.com/Masterminds/semver/v3 v3.4.0
go: downloading github.com/moby/term v0.5.2
go: downloading github.com/morikuni/aec v1.1.0
go: downloading github.com/twitchyliquid64/golang-asm v0.15.1
go: downloading github.com/go-task/slim-sprig/v3 v3.0.0
go: downloading github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1
go: finding module for package github.com/go-openapi/testify/v2/assert/yaml
go: downloading github.com/go-openapi/testify/v2 v2.4.2
go: downloading github.com/go-openapi/testify v0.0.0-20251001202347-e909893202bd
go: github.com/parca-dev/parca/pkg/config imports
	github.com/prometheus/prometheus/discovery/install imports
	github.com/prometheus/prometheus/discovery/kubernetes imports
	k8s.io/client-go/kubernetes imports
	k8s.io/client-go/discovery imports
	k8s.io/client-go/openapi imports
	k8s.io/kube-openapi/pkg/spec3 imports
	github.com/go-openapi/swag imports
	github.com/go-openapi/swag/loading tested by
	github.com/go-openapi/swag/loading.test imports
	github.com/go-openapi/testify/enable/yaml/v2 imports
	github.com/go-openapi/testify/v2/assert/yaml: module github.com/go-openapi/testify/v2@latest found (v2.4.2), but does not contain package github.com/go-openapi/testify/v2/assert/yaml

[alwaysmeticulous]

✅ Meticulous spotted 0 visual differences across 274 screens tested: view results.

Meticulous evaluated ~4 hours of user flows against your PR.

_{Expected differences? Click here. Last updated for commit 5ba5d33 build(deps): update module github.com/prometheus/prometheus to v0.311.2 .... This comment will update as new commits are pushed.}