CVE-2024-28867 in swift-prometheusinfo

Summary

by MITRE • 03/29/2024

Swift Prometheus is a Swift client for the Prometheus monitoring system, supporting counters, gauges and histograms. In code which applies _un-sanitized string values into metric names or labels_, an attacker could make use of this and send a `?lang` query parameter containing newlines, `}` or similar characters which can lead to the attacker taking over the exported format -- including creating unbounded numbers of stored metrics, inflating server memory usage, or causing "bogus" metrics. This vulnerability is fixed in2.0.0-alpha.2.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/13/2026

The vulnerability identified as CVE-2024-28867 affects Swift Prometheus, a Swift client library designed for integration with the Prometheus monitoring system. This library provides functionality for creating counters, gauges, and histograms to track application metrics. The flaw stems from inadequate input sanitization when processing user-provided data, specifically allowing un-sanitized string values to be directly incorporated into metric names or labels. This represents a classic injection vulnerability that can be exploited through improper handling of user-controllable inputs.

The technical implementation of this vulnerability occurs when the library processes query parameters such as `?lang` without proper validation or sanitization of special characters. Attackers can manipulate these parameters to include newline characters, closing braces `}`, or other delimiter characters that are significant in the Prometheus exposition format. When these unsanitized values are embedded into metric names or labels, they can fundamentally alter how the metric data is structured and interpreted by the Prometheus server. This allows attackers to craft malicious inputs that can cause the exporter to generate malformed metric data, potentially leading to the creation of an unlimited number of stored metrics.

The operational impact of this vulnerability is severe and multifaceted. An attacker could exploit this flaw to inflate server memory usage exponentially by creating numerous metric entries through crafted inputs, potentially leading to resource exhaustion and service disruption. The vulnerability also enables the creation of "bogus" metrics that can corrupt monitoring data and provide false information to system administrators. Additionally, the ability to manipulate the exported format can lead to metric injection attacks that may interfere with legitimate monitoring operations, making it difficult to identify actual system issues or performance problems. This vulnerability directly maps to CWE-74, which describes improper neutralization of special elements in output data, and aligns with ATT&CK technique T1070.004 for indicator removal through manipulation of monitoring systems.

The fix for CVE-2024-28867 was implemented in version 2.0.0-alpha.2 of the Swift Prometheus library, which introduced proper input sanitization mechanisms for metric names and labels. The updated implementation ensures that special characters are properly escaped or filtered before being incorporated into the Prometheus metric format, preventing attackers from manipulating the exported data structure. Organizations should immediately upgrade to this patched version or implement equivalent mitigations through input validation at the application level. System administrators should also monitor for unusual metric growth patterns or memory consumption spikes that might indicate exploitation attempts. The vulnerability serves as a reminder of the critical importance of input validation in monitoring and observability systems, where malformed data can have cascading effects on system stability and security posture.

Responsible

GitHub, Inc.

Reservation

03/11/2024

Disclosure

03/29/2024

Moderation

accepted

CPE

ready

EPSS

0.00645

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!