CVE-2024-28867 Information

Description

Swift Prometheus is a Swift client for the Prometheus monitoring system supporting counters gauges and histograms. In code which applies un-sanitized string values into metric names or labels an attacker could make use of this and send a ?lang query parameter containing newlines `` or similar characters which can lead to the attacker taking over the exported format – including creating unbounded numbers of stored metrics inflating server memory usage or causing ogus\ metrics. This vulnerability is fixed in2.0.0-alpha.2.

Reference

https://github.com/swift-server/swift-prometheus/security/advisories/GHSA-x768-cvr2-345r https://github.com/swift-server/swift-prometheus/commit/bfcd4bbfabe11aae4b035424ee9724582e288501