CVE-2021-29622

Name: CVE-2021-29622
Creator: NVD / NIST
Published: 2021-05-19T20:15:07.487+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.1/10EPSS 19.56%

Last modified Jun 17, 2026

CVE-2021-29622 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. EPSS estimates a 19.56% chance of exploitation in the next 30 days.

Description

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

Metrics

CVSS 3.1

6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

19.56%

97.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-601

Affected Software

Vendor	Product	Versions
Prometheus	Prometheus	>= 2.23.0, < 2.26.1
Prometheus	Prometheus	2.27.0

References

https://github.com/prometheus/prometheus/releases/tag/v2.26.1Third Party Advisory
https://github.com/prometheus/prometheus/releases/tag/v2.27.1Third Party Advisory
https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7Third Party Advisory
https://github.com/prometheus/prometheus/releases/tag/v2.26.1Third Party Advisory
https://github.com/prometheus/prometheus/releases/tag/v2.27.1Third Party Advisory
https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7Third Party Advisory

Timeline

Published: May 19, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-29622?

How severe is CVE-2021-29622?

CVE-2021-29622 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 19.56% probability of exploitation in the next 30 days.

How do I fix CVE-2021-29622?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-29622?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST