All Prometheus client CVEs — Complete Vulnerability History
The Prometheus Go client library is used by virtually every Go service for metrics. Its CVE is a ReDoS in metric label regex validation.
Go
N/A weekly downloads
1 CVE total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2022-21698 | 2022 | HIGH | ReDoS via metric label with crafted regex | Fixed v1.12.1 |
Current safe version: v1.19.0
# Before github.com/prometheus/client_golang v1.14.0
# After github.com/prometheus/client_golang v1.19.0
Then run: go mod tidy
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is the Prometheus client ReDoS exploitable?
If your metrics labels include user-controlled data, yes. An attacker can cause metric processing to hang. Most applications use static labels — lower risk in practice, but still worth updating.