Skip to content

prometheus

v3.12.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 6d Monitoring & Metrics
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

alerting graphing prometheus monitoring time-series

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal
editorial:auto 6d

Prometheus v3.12.0 rejects remote‑write requests with snappy‑compressed payloads exceeding 32 MB and fixes plaintext secret exposure via the `/-/config` endpoint in STACKIT SD.

Why it matters: Rejects oversized snappy‑compressed remote‑write payloads (>32 MB) to mitigate DoS risk; patches a critical secrets leak from the `/-/config` endpoint. Immediate action recommended for environments using these surfaces.

Summary

AI summary

Remote‑write requests with snappy compressed payloads over 32 MB are rejected to prevent denial‑of‑service, and plaintext secrets exposed via the /-/config endpoint in STACKIT SD have been fixed.

Changes in this release

Security Critical

Reject snappy-compressed remote-write requests exceeding 32MB decoded length.

Reject snappy-compressed remote-write requests exceeding 32MB decoded length.

Source: llm_adapter@2026-05-28

Confidence: high
Security Critical

Fix secrets exposure in plaintext via `/‑/config` endpoint for STACKIT SD.

Fix secrets exposure in plaintext via `/‑/config` endpoint for STACKIT SD.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Low

Add `/api/v1/status/self_metrics` endpoint returning server's own metrics as JSON.

Add `/api/v1/status/self_metrics` endpoint returning server's own metrics as JSON.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Low

Add DigitalOcean Managed Databases service discovery.

Add DigitalOcean Managed Databases service discovery.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Low

Add Outscale VM service discovery (`outscale_sd_configs`).

Add Outscale VM service discovery (`outscale_sd_configs`).

Source: llm_adapter@2026-05-28

Confidence: high
Feature Low

Emit warning when `sort`, `sort_by_label`, or `sort_by_label_desc` used in range (matrix) queries.

Emit warning when `sort`, `sort_by_label`, or `sort_by_label_desc` used in range (matrix) queries.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Low

Add experimental PromQL functions `start()`, `end()`, `range()`, and `step()`.

Add experimental PromQL functions `start()`, `end()`, `range()`, and `step()`.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Low

Update `resets()` function to consider start‑timestamp resets (behind feature flag).

Update `resets()` function to consider start‑timestamp resets (behind feature flag).

Source: llm_adapter@2026-05-28

Confidence: high
Feature Low

Adds Start Timestamp field to all WAL Histogram samples in memory when `st-storage` flag is enabled.

Adds Start Timestamp field to all WAL Histogram samples in memory when `st-storage` flag is enabled.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Add support for the aix/ppc64 compilation target.

Add support for the aix/ppc64 compilation target.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Use start timestamps for `rate()`, `irate()`, and `increase()` calculations behind feature flag `use-start-timestamps`.

Use start timestamps for `rate()`, `irate()`, and `increase()` calculations behind feature flag `use-start-timestamps`.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Add `st-synthesis` feature flag to synthesize unknown STs for scraped cumulative metrics with Remote Writing 2.0.

Add `st-synthesis` feature flag to synthesize unknown STs for scraped cumulative metrics with Remote Writing 2.0.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Add `CheckpointFromInMemorySeries` option to `agent.DB` enabling checkpoint based on in-memory series.

Add `CheckpointFromInMemorySeries` option to `agent.DB` enabling checkpoint based on in-memory series.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Feature Low

Add web interface for deleting time series and cleaning tombstones via Status menu.

Add web interface for deleting time series and cleaning tombstones via Status menu.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Performance Medium

Make head chunk lookup in TSDB range queries constant time instead of quadratic.

Make head chunk lookup in TSDB range queries constant time instead of quadratic.

Source: llm_adapter@2026-05-28

Confidence: high
Performance Low

Skip entire stripes in mmapHeadChunks when no series need mmapping, reducing CPU utilization.

Skip entire stripes in mmapHeadChunks when no series need mmapping, reducing CPU utilization.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Performance Low

Skip clean series during periodic head chunk mmap using cached head chunk count.

Skip clean series during periodic head chunk mmap using cached head chunk count.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Performance Low

Address FloatHistogram.KahanAdd performance regression on Go 1.26.

Address FloatHistogram.KahanAdd performance regression on Go 1.26.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Medium

Fix `info()` function handling negated `__name__` matchers correctly.

Fix `info()` function handling negated `__name__` matchers correctly.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Reject NaN, infinite, and out-of-range duration expressions instead of silently producing an out-of-range time.Duration.

Reject NaN, infinite, and out-of-range duration expressions instead of silently producing an out-of-range time.Duration.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Medium

Limit decompressed body size for gzip-encoded OTLP write requests.

Limit decompressed body size for gzip-encoded OTLP write requests.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Low

Fix `smoothed` rate/increase returning zero instead of no result when all data falls strictly after the query range.

Fix `smoothed` rate/increase returning zero instead of no result when all data falls strictly after the query range.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Low

Fix metric name not being dropped when last_over_time or first_over_time applied to subqueries with name-dropping functions like abs().

Fix metric name not being dropped when last_over_time or first_over_time applied to subqueries with name-dropping functions like abs().

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Low

Fix missing warning when mixing exponential and custom-bucket histograms in stats queries.

Fix missing warning when mixing exponential and custom-bucket histograms in stats queries.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Bugfix Low

Fix parsing of `range()` keyword in duration expressions such as `foo[5m+range()]`.

Fix parsing of `range()` keyword in duration expressions such as `foo[5m+range()]`.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Other Low

Reject concurrent fgprof profiles via API.

Reject concurrent fgprof profiles via API.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Other Low

Add optional `external_id` field to AWS ECS/MSK/RDS/Elasticache service discovery configurations.

Add optional `external_id` field to AWS ECS/MSK/RDS/Elasticache service discovery configurations.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Other Low

Introduce dynamic backoff interval for faster propagation of SD target updates, replacing static 5s throttling.

Introduce dynamic backoff interval for faster propagation of SD target updates, replacing static 5s throttling.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Other Low

Add `--header` flag to `promtool query instant` command matching existing `query range` behaviour.

Add `--header` flag to `promtool query instant` command matching existing `query range` behaviour.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Other Low

Allow EC2 service discovery to discover IPv6 addresses while keeping private IPv4 as default.

Allow EC2 service discovery to discover IPv6 addresses while keeping private IPv4 as default.

Source: granite4.1:30b@2026-05-28-audit

Confidence: low
Full changelog
  • [SECURITY] Remote-write: Reject snappy-compressed requests whose declared decoded length exceeds the 32MB. Thanks to @hibrian827 for reporting it. #18642
  • [SECURITY] STACKIT SD: Fix secrets being exposed in plaintext via /-/config endpoint. Thanks to @August829 and @Phaxma for reporting. GHSA-39j6-789q-qxvh #18649
  • [CHANGE] TSDB/Agent: Adds Start Timestamp field to all WAL Histogram samples in memory; used st-storage flag is enabled. #18221
  • [FEATURE] API: Add /api/v1/status/self_metrics endpoint returning the current state of the Prometheus server's own metrics about itself as JSON. #18411
  • [FEATURE] Discovery: Add DigitalOcean Managed Databases service discovery #18287
  • [FEATURE] Prometheus: Add support for the aix/ppc64 compilation target #18321
  • [FEATURE] Discovery: Add Outscale VM service discovery (outscale_sd_configs) for discovering scrape targets from the Outscale Cloud API. #18139
  • [FEATURE] PromQL: Emit a warning when sort, sort_by_label or sort_by_label_desc is used within range (matrix) queries, as these functions do not have effect in that context. #18498
  • [FEATURE] PromQL: Add start(), end(), range(), and step() experimental functions #17877
  • [FEATURE] PromQL: Update resets() function to consider start timestamp resets. Hidden behind use-start-timestamps feature flag. #18627
  • [FEATURE] Prometheus: Promote auto-reload-config as stable #18620
  • [FEATURE] TSDB/Agent: Add CheckpointFromInMemorySeries option to agent.DB that enables checkpoint based on in-memory series. #17948
  • [FEATURE] UI: Add a web interface for deleting time series and cleaning tombstones, accessible from the Status menu. #18390
  • [FEATURE] PromQL: Use start timestamps for rate(), irate(), and increase()calculations, behind a feature flaguse-start-timestamps. Doesn't work together with extended range selectors anchoredandsmoothed`. #18344
  • [FEATURE] Scrape: Added a feature flag st-synthesis which synthesizes unknown STs for scraped cumulative metrics. Useful when Remote Writing 2.0 with delta or Otel-based backends. #18279
  • [FEATURE] promqltest: support @st annotation in load blocks to specify per-sample start timestamps. #18360
  • [ENHANCEMENT] API: reject concurrent fgprof profiles. #18651
  • [ENHANCEMENT] AWS SD: Add optional external_id field to ECS/MSK/RDS/Elasticache. #18579
  • [ENHANCEMENT] AWS SD: Add optional external_id field. #17171
  • [ENHANCEMENT] Discovery: Propagate SD target updates faster by introducing dynamic backoff interval instead of static 5s interval for throttling. #18187
  • [ENHANCEMENT] Promtool: Add --header flag to query instant command, matching existing query range behaviour. #18418
  • [ENHANCEMENT]: AWS SD: Allows EC2 service discovery to discover IPv6 addresses to communicate with target endpoints. The private IPv4 address remains the default when both IPv4 and IPv6 addresses are present. #16088
  • [PERF] TSDB: Make head chunk lookup in range queries constant time instead of quadratic time #18302
  • [PERF] TSDB: Skip entire stripes in mmapHeadChunks when no series need mmapping, reducing CPU utilization significantly at production-relevant scales. #18541
  • [PERF] TSDB: Skip clean series during periodic head chunk mmap using cached head chunk count #18272
  • [PERF] PromQL: Address FloatHistogram.KahanAdd performance regression on Go 1.26. #18568
  • [BUGFIX] PromQL: Fix info() function incorrectly handling negated __name__ matchers #17932
  • [BUGFIX] API: Return duration expressions in /parse_ast. #18624
  • [BUGFIX] API: correctly document formats accepted for duration query request parameters (step, timeout and lookback delta) in OpenAPI spec #18305
  • [BUGFIX] Scrape: AppenderV2 now tracks staleness even when OOO/duplicate series errors happen similar to AppenderV1 #18567
  • [BUGFIX] Config: Validate remote_write queue_config fields at load time to prevent runtime panic and silent misconfiguration. #18209
  • [BUGFIX] Discovery/Consul: Add health_filter for Health API filtering, fixing breakage when using Catalog-only fields like ServiceTags in filter. #18479 #18499
  • [BUGFIX] OTLP: limit decompressed body size for gzip-encoded OTLP write requests. #18408
  • [BUGFIX] PromQL: Fix smoothed rate/increase returning zero instead of no result when all data falls strictly after the query range. #18523
  • [BUGFIX] PromQL: Fix metric name not being dropped when last_over_time or first_over_time is applied to subqueries containing name-dropping functions like abs(). #18409
  • [BUGFIX] PromQL: Fix missing warning when mixing exponential and custom-bucket histograms in stats queries. #18660
  • [BUGFIX] PromQL: Fix parsing of range() keyword in duration expressions such as foo[5m+range()]. #18623
  • [BUGFIX] PromQL: Fix smoothed vector selector returning no results in binary operations when the @ modifier is used. #18531
  • [BUGFIX] PromQL: Reject NaN, infinite, and out-of-range duration expressions instead of silently producing an out-of-range time.Duration. #18639
  • [BUGFIX] Scrape: Fix panic when scraping malformed native histograms. #18414
  • [BUGFIX] Scrape: fix panic when scraping a target exposing a summary with no quantiles via the protobuf format. #18382
  • [BUGFIX] Scrape: fix scrape failure log file occasionally not applied after a configuration reload. #18421
  • [BUGFIX] TSDB: Allow retention percentage with new data path. #18628
  • [BUGFIX] TSDB: Preserve decimal precision in percentage-based retention #18374
  • [BUGFIX] TSDB: fix prometheus_tsdb_head_chunks going negative after WAL replay #18401
  • [BUGFIX] TSDB: panic with native histograms during query of overlapping chunks. #18692
  • [BUGFIX] Tracing: fix startup failure for insecure OTLP HTTP tracing #18469
  • [BUGFIX] UI: Escape label values offered by PromQL autocomplete. #18658
  • [BUGFIX] UI: Improve Y-axis tick label precision for graph values over small ranges. #18682
  • [BUGFIX] prometheus_sd_refresh* and prometheus_sd_discovered_targets metrics for specific scrape jobs are deleted when the scrape job is removed. #17614
  • [BUGFIX] Remote: fixed validation for received RW2 requests when parsing metadata unit symbols. This fixes a case when request would cause (recovered) handler panic. #18641
  • [BUGFIX] TSDB/Agent: fix race in agent appender where concurrent appends for the same label set could produce duplicate in-memory series and duplicate WAL records. #18292
  • [BUGFIX] Config: Update --enable-feature flag description and sort feature names. #18487

Security Fixes

  • CVE not listed – Remote-write: Reject snappy‑compressed requests whose declared decoded length exceeds 32 MB (DoS prevention)
  • GHSA-39j6-789q-qxvh – STACKIT SD: Fix secrets exposed in plaintext via `/-/config` endpoint
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track prometheus

Get notified when new releases ship.

Sign up free

About prometheus

The Prometheus monitoring system and time series database.

All releases →

Related context

Beta — feedback welcome: [email protected]