Tuesday, April 29, 2025
HomeCVE/vulnerabilityOver 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

Published on

SIEM as a Service

Follow Us on Google News

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks from pprof endpoints, and potential code execution threats, which could lead to data breaches, system outages, and unauthorized access.

Vulnerable Prometheus servers are exposed to internet risk exploitation by attackers, which includes a critical “RepoJacking” vulnerability, allowing malicious exporters to be introduced into abandoned or renamed GitHub repositories.

Untrusted users might be able to view Prometheus server information, logs, and debugging details, despite authentication support. It’s unclear if practitioners commonly expose Prometheus servers without authentication, though it’s a potential security risk.

- Advertisement - Google News
Prometheus exporters in Shodan

Shodan analysis identified over 336,000 internet-exposed Prometheus servers and exporters, potentially leaving them vulnerable to unauthorized access and exploitation.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Promtheus servers and exporters are frequently exposed, leading to the inadvertent disclosure of sensitive secrets, as researchers have highlighted this risk, but the number of exposed instances remains substantial, posing a significant security threat.

Unauthenticated Prometheus servers and exporters expose internal data, enabling attackers to query and extract sensitive information such as credentials and API keys, potentially compromising organizational security.

Secrets Exposed in Prometheus Servers on Port 9090

Exposed Node Exporter and Prometheus metrics endpoints can leak sensitive information, including internal API endpoints, subdomains, Docker registries, and images, potentially expanding the attack surface and enabling attackers to gain unauthorized access to systems and data. 

Prometheus components and their use of the Go pprof package for performance profiling, as the http/pprof package provides a /debug/pprof endpoint for accessing profiling data via HTTP, as demonstrated in Prometheus server and node exporter. 

Misconfigured Prometheus servers and exporters expose sensitive information through the default-enabled /debug/pprof endpoint, where attackers can exploit this vulnerability to access and analyze heap profiles, traces, and other system data, potentially leading to unauthorized access and control.

 An exposed Prometheus server/Node exporter enabling access to the ‘/debug/pprof’

The exposed /debug/pprof endpoint on Prometheus components and Node Exporter is vulnerable to Denial of Service (DoS) attacks.

Exploiting this vulnerability, attackers can send multiple requests to specific endpoints, overwhelming the server’s resources and causing performance degradation or service outages. 

Node Exporter deployments on hosts or Kubernetes pods are vulnerable to DoS attacks targeting the /debug/pprof endpoint. Successful attacks can lead to host unresponsiveness, increased operational overhead, degraded cluster performance, and resource exhaustion. 

The Prometheus /debug/pprof endpoint, when exposed publicly, presents a significant security risk, allowing attackers to launch DoS attacks and potentially compromise the underlying host. 

 Exposed Prometheus server of Skoda

RepoJacking exploits vulnerabilities in Prometheus exporters by allowing attackers to take over GitHub repositories referenced in official documentation, which enables them to replace legitimate exporters with malicious versions, leading to remote code execution on systems of unsuspecting users.

According to AquaSec, a GitHub redirect vulnerability allows attackers to potentially takeover usernames and host malicious exporters, redirecting users to compromised versions. 

Vulnerabilities in Prometheus, including unauthenticated access, can expose sensitive information and lead to DoS attacks or code execution.

Mitigations include strong authentication, limiting external exposure, securing debugging endpoints, resource limitations, and verifying open-source links to prevent supply chain attacks.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...