Security update for golang-github-prometheus-prometheus SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20239-1 Final 1 1 2026-02-17T09:54:15Z current 2026-02-17T09:54:15Z 2026-02-17T09:54:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for golang-github-prometheus-prometheus This update for golang-github-prometheus-prometheus fixes the following issues: - CVE-2026-25547: Fixed an unbounded brace range expansion leading to excessive CPU and memory consumption. (bsc#1257841) - CVE-2026-1615: Fixed arbitrary code injection due to unsafe evaluation of user-supplied JSON Path expressions in jsonpath. (bsc#1257897) - CVE-2025-61140: Fixed a function vulnerable to prototype pollution in jsonpath. (bsc#1257442) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-290 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1257442 SUSE Bug 1257442 https://bugzilla.suse.com/1257841 SUSE Bug 1257841 https://bugzilla.suse.com/1257897 SUSE Bug 1257897 https://www.suse.com/security/cve/CVE-2025-61140/ SUSE CVE CVE-2025-61140 page https://www.suse.com/security/cve/CVE-2026-1615/ SUSE CVE CVE-2026-1615 page https://www.suse.com/security/cve/CVE-2026-25547/ SUSE CVE CVE-2026-25547 page openSUSE Leap 16.0 golang-github-prometheus-prometheus-3.5.0-160000.2.1 golang-github-prometheus-prometheus-3.5.0-160000.2.1 as a component of openSUSE Leap 16.0 The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution. CVE-2025-61140 openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-61140.html CVE-2025-61140 https://bugzilla.suse.com/1257442 SUSE Bug 1257442 Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply. CVE-2026-1615 openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-1615.html CVE-2026-1615 https://bugzilla.suse.com/1257897 SUSE Bug 1257897 @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1. CVE-2026-25547 openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-25547.html CVE-2026-25547 https://bugzilla.suse.com/1257834 SUSE Bug 1257834