Vulnerability Reportprom/prometheus:v2.54.0

prom/prometheus:v2.54.0
DIGESTsha256:497fe921f22fea8535fa2bcb1c193dacc6ce98c08274257b3d18a4eaae0f9647

Executive Summary

Last scanned:

Threat Score
74/100CAUTION
Reputation
RELIABLE

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. The most severe issue, CVE-2025-61726, allows denial-of-service via memory exhaustion by sending many query parameters to the Prometheus HTTP server, which is directly reachable. Additionally, CVE-2026-33186 could permit authorization bypass in the gRPC endpoint, but only if custom path-based authorization policies are configured—note this requires non-default gRPC authorization setup. With 88 total vulnerabilities and 27 of medium or higher severity, the attack surface is large, though the image is from a reputable publisher.

Vulnerabilities

Vulnerability Log

99 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2025-61726HIGH7.5
stdlib
v1.22.6
fixed in 1.24.12, 1.25.6
1.9%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2026-33186HIGH7.28
google.golang.org/grpc
v1.65.0
fixed in 1.79.3
1.6%
Low-Moderate Risk
Directly ExposedContext importance: MEDIUM
CVE-2025-68121MEDIUM6.8
stdlib
v1.22.6
fixed in 1.24.13, 1.25.7, 1.26.0-rc.3
0.8%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-41567MEDIUM6.38
github.com/docker/docker
v27.0.3+incompatible
No fix yet
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-39882MEDIUM6.38
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
v1.28.0
fixed in 1.43.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-39829MEDIUM6.38
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-39830MEDIUM6.38
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-39835MEDIUM6.38
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-46597MEDIUM6.38
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33814MEDIUM6.38
golang.org/x/net
v0.27.0
fixed in 0.53.0
0.8%
Theoretical Threat
Directly Exposed
CVE-2025-61729MEDIUM6.38
stdlib
v1.22.6
fixed in 1.24.11, 1.25.5
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-25679MEDIUM6.38
stdlib
v1.22.6
fixed in 1.25.8, 1.26.1
0.7%
Theoretical Threat
Directly Exposed
CVE-2026-27145MEDIUM6.38
stdlib
v1.22.6
fixed in 1.25.11, 1.26.4
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-32280MEDIUM6.38
stdlib
v1.22.6
fixed in 1.25.9, 1.26.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-32281MEDIUM6.38
stdlib
v1.22.6
fixed in 1.25.9, 1.26.2
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-32283MEDIUM6.38
stdlib
v1.22.6
fixed in 1.25.9, 1.26.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-33811MEDIUM6.38
stdlib
v1.22.6
fixed in 1.25.10, 1.26.3
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-33814MEDIUM6.38
stdlib
v1.22.6
fixed in 1.25.10, 1.26.3
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-39820MEDIUM6.38
stdlib
v1.22.6
fixed in 1.25.10, 1.26.3
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-39836MEDIUM6.38
stdlib
v1.22.6
fixed in 1.25.10, 1.26.3
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-42499MEDIUM6.38
stdlib
v1.22.6
fixed in 1.25.10, 1.26.3
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-42504MEDIUM6.38
stdlib
v1.22.6
fixed in 1.25.11, 1.26.4
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-58183MEDIUM6.38
stdlib
v1.22.6
fixed in 1.24.8, 1.25.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-61728MEDIUM6.38
stdlib
v1.22.6
fixed in 1.24.12, 1.25.6
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-42508MEDIUM6.29
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-42306MEDIUM6.12
github.com/docker/docker
v27.0.3+incompatible
No fix yet
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-46595MEDIUM6.03
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-39883MEDIUM5.95
go.opentelemetry.io/otel/sdk
v1.28.0
fixed in 1.43.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-47907MEDIUM5.95
stdlib
v1.22.6
fixed in 1.23.12, 1.24.6
0.4%
Theoretical Threat
Directly Exposed
CVE-2024-34158MEDIUM5.9
stdlib
v1.22.6
fixed in 1.22.7, 1.23.1
1.0%
Low-Moderate Risk
Directly Exposed
CVE-2025-4673MEDIUM5.78
stdlib
v1.22.6
fixed in 1.23.10, 1.24.4
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-39821MEDIUM5.58
golang.org/x/net
v0.27.0
fixed in 0.55.0
0.5%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-39827MEDIUM5.52
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-39834MEDIUM5.52
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-22872MEDIUM5.52
golang.org/x/net
v0.27.0
fixed in 0.38.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-25680MEDIUM5.52
golang.org/x/net
v0.27.0
fixed in 0.55.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-47906MEDIUM5.52
stdlib
v1.22.6
fixed in 1.23.12, 1.24.6
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-61727MEDIUM5.52
stdlib
v1.22.6
fixed in 1.24.11, 1.25.5
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-39825MEDIUM5.52
stdlib
v1.22.6
fixed in 1.25.10, 1.26.3
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-25681MEDIUM5.5
golang.org/x/net
v0.27.0
fixed in 0.55.0
0.2%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-27136MEDIUM5.5
golang.org/x/net
v0.27.0
fixed in 0.55.0
0.2%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-32282MEDIUM5.44
stdlib
v1.22.6
fixed in 1.25.9, 1.26.2
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42502MEDIUM5.18
golang.org/x/net
v0.27.0
fixed in 0.55.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-32289MEDIUM5.18
stdlib
v1.22.6
fixed in 1.25.9, 1.26.2
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-30204MEDIUM5.1
github.com/golang-jwt/jwt/v5
v5.2.1
fixed in 5.2.2
0.7%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2024-45338MEDIUM5.1
golang.org/x/net
v0.27.0
fixed in 0.33.0
0.9%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-22868MEDIUM5.1
golang.org/x/oauth2
v0.21.0
fixed in 0.27.0
0.8%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2024-34155MEDIUM5.02
stdlib
v1.22.6
fixed in 1.22.7, 1.23.1
0.8%
Theoretical Threat
Directly Exposed
CVE-2024-45336MEDIUM5.02
stdlib
v1.22.6
fixed in 1.22.11, 1.23.5, 1.24.0-rc.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-39833MEDIUM4.67
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-32288MEDIUM4.67
stdlib
v1.22.6
fixed in 1.25.9, 1.26.2
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42506MEDIUM4.59
golang.org/x/net
v0.27.0
fixed in 0.55.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-22871MEDIUM4.59
stdlib
v1.22.6
fixed in 1.23.8, 1.24.2
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-27142MEDIUM4.59
stdlib
v1.22.6
fixed in 1.25.8, 1.26.1
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-39823MEDIUM4.59
stdlib
v1.22.6
fixed in 1.25.10, 1.26.3
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-39826MEDIUM4.59
stdlib
v1.22.6
fixed in 1.25.10, 1.26.3
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-47914MEDIUM4.5
golang.org/x/crypto
v0.25.0
fixed in 0.45.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-58181MEDIUM4.5
golang.org/x/crypto
v0.25.0
fixed in 0.45.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-46598MEDIUM4.5
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-47911MEDIUM4.5
golang.org/x/net
v0.27.0
fixed in 0.45.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-58190MEDIUM4.5
golang.org/x/net
v0.27.0
fixed in 0.45.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-22866MEDIUM4.5
stdlib
v1.22.6
fixed in 1.22.12, 1.23.6, 1.24.0-rc.3
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-22873MEDIUM4.5
stdlib
v1.22.6
fixed in 1.23.9, 1.24.3
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-47912MEDIUM4.5
stdlib
v1.22.6
fixed in 1.24.8, 1.25.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-58185MEDIUM4.5
stdlib
v1.22.6
fixed in 1.24.8, 1.25.2
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-58187MEDIUM4.5
stdlib
v1.22.6
fixed in 1.24.9, 1.25.3
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-58188MEDIUM4.5
stdlib
v1.22.6
fixed in 1.24.8, 1.25.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-58189MEDIUM4.5
stdlib
v1.22.6
fixed in 1.24.8, 1.25.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-61723MEDIUM4.5
stdlib
v1.22.6
fixed in 1.24.8, 1.25.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-61724MEDIUM4.5
stdlib
v1.22.6
fixed in 1.24.8, 1.25.2
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-61725MEDIUM4.5
stdlib
v1.22.6
fixed in 1.24.8, 1.25.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-61730MEDIUM4.5
stdlib
v1.22.6
fixed in 1.24.12, 1.25.6
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42505MEDIUM4.5
stdlib
v1.22.6
fixed in 1.25.12, 1.26.5, 1.27.0-rc.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-42507MEDIUM4.5
stdlib
v1.22.6
fixed in 1.25.11, 1.26.4
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-58186MEDIUM4.5
stdlib
v1.22.6
fixed in 1.24.8, 1.25.2
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-54410MEDIUM4.42
github.com/docker/docker
v27.0.3+incompatible
fixed in 25.0.13, 28.0.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2024-41110MEDIUM4.1
github.com/docker/docker
v27.0.3+incompatible
fixed in 23.0.15, 26.1.5, 27.1.1, 25.0.6
16.5%
High Exploitation Risk
Post-Exploit
CVE-2025-22870LOW3.74
golang.org/x/net
v0.27.0
fixed in 0.36.0
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-22870LOW3.74
stdlib
v1.22.6
fixed in 1.23.7, 1.24.1
0.4%
Theoretical Threat
Directly Exposed
CVE-2024-45341LOW3.57
stdlib
v1.22.6
fixed in 1.22.11, 1.23.5, 1.24.0-rc.2
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-41568LOW3.31
github.com/docker/docker
v27.0.3+incompatible
No fix yet
0.1%
Theoretical Threat
Directly Exposed
CVE-2024-45337LOW2.95
golang.org/x/crypto
v0.25.0
fixed in 0.31.0
3.2%
Low-Moderate Risk
Post-Exploit
CVE-2026-34040LOW2.81
github.com/docker/docker
v27.0.3+incompatible
fixed in 29.3.1
8.1%
Low-Moderate Risk
Post-Exploit
CVE-2024-34156LOW2.7
stdlib
v1.22.6
fixed in 1.22.7, 1.23.1
1.1%
Low-Moderate Risk
Post-Exploit
CVE-2026-39828LOW2.69
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-39832LOW2.66
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-33997LOW2.48
github.com/docker/docker
v27.0.3+incompatible
fixed in 29.3.1
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-39831LOW2.48
golang.org/x/crypto
v0.25.0
fixed in 0.52.0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-39822LOW2.39
stdlib
v1.22.6
fixed in 1.25.12, 1.26.5, 1.27.0-rc.2
0.2%
Theoretical Threat
Post-Exploit
CVE-2025-22869LOW2.29
golang.org/x/crypto
v0.25.0
fixed in 0.35.0
0.9%
Theoretical Threat
Post-Exploit
CVE-2025-47913LOW2.29
golang.org/x/crypto
v0.25.0
fixed in 0.43.0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-27139LOW2.12
stdlib
v1.22.6
fixed in 1.25.8, 1.26.1
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-2303NONE0
go.mongodb.org/mongo-driver
v1.14.0
fixed in 1.17.7
0.2%
Theoretical Threat
Not Applicable
CVE-2026-24051NONE0
go.opentelemetry.io/otel/sdk
v1.28.0
fixed in 1.40.0
0.2%
Theoretical Threat
Not Applicable
GO-2026-5932NONE0
golang.org/x/crypto
v0.25.0
No fix yet
Not Applicable
CVE-2026-46600NONE0
golang.org/x/net
v0.27.0
fixed in 0.56.0
Not Applicable
CVE-2026-39824NONE0
golang.org/x/sys
v0.22.0
fixed in 0.44.0
0.1%
Theoretical Threat
Not Applicable
CVE-2026-56852NONE0
golang.org/x/text
v0.16.0
fixed in 0.39.0
Not Applicable
CVE-2025-0913NONE0
stdlib
v1.22.6
fixed in 1.23.10, 1.24.4
0.2%
Theoretical Threat
Not Applicable

Want to check another image? Run a full scan with the Docker Security Scanner.