Summary
Un-sanitized metric name or labels can be used to take over exported metrics
Discussion
It is strongly discouraged to use un-sanitized user input as names or labels in general, because they can lead to un-bounded growth of metrics, even as this vulnerability is patched and result in a Denial-of-Service attack opportunity -- regardless how well the library is sanitizing the inputs. We strongly recommend only using a sanitized set of values for your metrics names and labels. E.g., a "lang" label, should only use an expected set of values that can be used, and ignore other ones -- otherwise a determined attacker could create one metric per different label key, leading to unbounded memory use growth as metrics with distinct values must be kept in memory.
Validating label values:
The library will NOT automatically validate and replace strings offered as label values.
Developers must validate label values themselves, and it is strongly recommended to only accept a well known set of values.
It is possible to configure the PrometheusSanitizer to apply whatever validation you deem necessary:
let mySanitizer = PrometheusSanitizer { metricName, labels in
// ... your logic here ...
(metricName, labels)
}
let registry = PrometheusCollectorRegistry(sanitizer: mySanitizer)
let factory = PrometheusMetricsFactory(factory: registry)
// swift-metrics
MetricsSystem.bootstrap(factory)
Workarounds
Developers must validate user input before using it as metric names, label names or values. This follows common practice of not trusting any user input without sanitization.
Credits
We would like to thank Jonas Dörr for bringing out attention to the issue.
Impact
In code which applies un-sanitized string values into metric names or labels, like this:
let lang = try? request.query-get(String.self, at: "lang")
Counter (
label: "language",
dimensions: [("lang", lang ?? "unknown" )]
)
an attacker could make use of this and send a ?lang query parameter containing newlines, } or similar characters which can lead to the attacker taking over the exported format -- including creating unbounded numbers of stored metrics, inflating server memory usage, or causing "bogus" metrics.
CVE-2024-28867 has a CVSS score of 5.9 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.0.0-alpha.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
The default strategy to sanitize labels was moved deeper into the library, preventing illegal characters from appearing in name, label keys and values.
Metric names and label names are now validated against the following requirement: [a-zA-Z_:][a-zA-Z0-9_:]* (for metric names) and [a-zA-Z_][a-zA-Z0-9_]* (for metric label names). Label values are not validated as they are allowed to contain any unicode characters. Developers must validate labels themselves and not allow malicious input.
The approach taken here mirrors the approach taken in the Go reference implementation.
Frequently Asked Questions
- What is CVE-2024-28867? CVE-2024-28867 is a medium-severity security vulnerability in github.com/swift-server/swift-prometheus (swift), affecting versions = 2.0.0-alpha.1. It is fixed in 2.0.0-alpha.2.
- How severe is CVE-2024-28867? CVE-2024-28867 has a CVSS score of 5.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/swift-server/swift-prometheus are affected by CVE-2024-28867? github.com/swift-server/swift-prometheus (swift) versions = 2.0.0-alpha.1 is affected.
- Is there a fix for CVE-2024-28867? Yes. CVE-2024-28867 is fixed in 2.0.0-alpha.2. Upgrade to this version or later.
- Is CVE-2024-28867 exploitable, and should I be worried? Whether CVE-2024-28867 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-28867 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-28867? Upgrade
github.com/swift-server/swift-prometheusto 2.0.0-alpha.2 or later.