GHSA-8rm2-7qqf-34qm
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
Details
### Impact
The remote read endpoint (`/api/v1/read`) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process.
### Patches _Has the problem been patched? What versions should users upgrade to?_
Fixed in 3.11.3 and 3.5.3 LTS. Users should upgrade to these versions or later.
### Workarounds User who can not upgrade can place Prometheus behind a reverse proxy or firewall that requires authentication before requests reach /api/v1/read.
Are you affected?
Enter the version of the package you're using.
Affected packages
0.306.0 Fixed in: 0.311.3 go get github.com/prometheus/prometheus@v0.311.3 0 Fixed in: 0.305.2 go get github.com/prometheus/prometheus@v0.305.2 1.0.0-rc.0 No fixed version published yet for github.com/prometheus/prometheus (go modules). Pin to a known-safe version or switch to an alternative.
References
- https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-42154 [ADVISORY]
- https://github.com/prometheus/prometheus/pull/18584 [WEB]
- https://github.com/prometheus/prometheus/pull/18585 [WEB]
- https://github.com/prometheus/prometheus [PACKAGE]
- https://github.com/prometheus/prometheus/releases/tag/v3.11.3 [WEB]
- https://github.com/prometheus/prometheus/releases/tag/v3.5.3 [WEB]