Hi team, Recently I scanned the vulnerability golang.org/x/oauth2 CVE-2025-22868 from Prometheus 3.5.0, and also reading official doc https://prometheus.io/docs/operating/security/ Based on code, my analysis is as follows:
Although Prometheus includes a transitive dependency on golang.org/x/oauth2, the package is not used in any execution path of Prometheus server or its components. Prometheus does not act as an OAuth2 client or server, and its HTTP endpoints are not exposed publicly by design. Therefore, the reported CVE is a false positive and does not affect Prometheus runtime security. I'm not sure if my analysis is correct, so I'd like you to help me double confirm whether this vulnerability is a false positive . Thank you very much. Thanks, David -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/prometheus-developers/CAPD-x1tGZcgyCi6MeVznUXxs5OS2LV1qPkAQbTxZn7qcvZQTGQ%40mail.gmail.com.
smime.p7s
Description: S/MIME Cryptographic Signature
