Vulnerability golang.org/x/oauth2 CVE-2025-22868 on Prometheus LTS 3.5.x
20 views
Skip to first unread message
David Quan
Oct 15, 2025, 9:48:01 PMOct 15
to prometheus...@googlegroups.com
Hi team,
Recently I scanned the vulnerability golang.org/x/oauth2 CVE-2025-22868 from Prometheus 3.5.0, and also reading official doc https://prometheus.io/docs/operating/security/ Based on code, my analysis is as follows:
Although Prometheus includes a transitive dependency on golang.org/x/oauth2, the package is not used in any execution path of Prometheus server or its components. Prometheus does not act as an OAuth2 client or server, and its HTTP endpoints are not exposed publicly by design. Therefore, the reported CVE is a false positive and does not affect Prometheus runtime security.
I'm not sure if my analysis is correct, so I'd like you to help me double confirm whether this vulnerability is a false positive . Thank you very much.
Thanks,
Recently I scanned the vulnerability golang.org/x/oauth2 CVE-2025-22868 from Prometheus 3.5.0, and also reading official doc https://prometheus.io/docs/operating/security/ Based on code, my analysis is as follows:
Although Prometheus includes a transitive dependency on golang.org/x/oauth2, the package is not used in any execution path of Prometheus server or its components. Prometheus does not act as an OAuth2 client or server, and its HTTP endpoints are not exposed publicly by design. Therefore, the reported CVE is a false positive and does not affect Prometheus runtime security.
I'm not sure if my analysis is correct, so I'd like you to help me double confirm whether this vulnerability is a false positive . Thank you very much.
Thanks,
David
Reply all
Reply to author
Forward
0 new messages