GHSA-fw8g-cg8f-9j28: Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display

In the Prometheus server’s legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels.

An attacker who can inject crafted metrics (e.g. via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. From the XSS context, an attacker could for example:

• Read /api/v1/status/config to extract sensitive configuration (although credentials / secrets are redacted by the server)
• Call /-/quit to shut down Prometheus (only if --web.enable-lifecycle is set)
• Call /api/v1/admin/tsdb/delete_series to delete data (only if --web.enable-admin-api is set)
• Exfiltrate metric data to an external server

Note that this only affects users who have explicitly enabled the legacy Prometheus web UI using the --enable-feature=old-ui command-line flag.