Prometheus enables the pprof debug tool by default. How to disable pprof?

achengxf · July 17, 2022, 5:52pm

Prometheus enables the pprof debug tool by default, and the vulnerability scanning tool finds sensitive information leaks. How to disable pprof?

SuperQ · July 17, 2022, 5:56pm

Has the tool actually found an information leak? Or is it just warning of a potential leak?

Vulnerability scans are prone to false positives. This is likely the case here, as pprof is generally considered a safe endpoint. No more or less sensitive as the Prometheus HTTP API itself.

m01ly · June 10, 2023, 9:18am

Have the bloggers finally resolved this issue? How to disable pprof?

Pat · October 30, 2023, 4:07pm

Hi All, has any one figured out how to workaround this, i.e., disable pprof? We’re also getting vuln report on this for all our nodes.

jlsong01 · March 29, 2024, 4:09am

maybe the last resort would rebuild the prometheus binary with some code change to disable pprof.

Topic		Replies	Views
DIsable the 9090/status Page Prometheus API Prometheus server	0	79	March 7, 2024
Vulnerabilities in the official Docker image General Help/Support	0	328	May 29, 2023
Interesting PM2/prometheus binary interaction General Help/Support	0	242	December 10, 2022
Prometheus related vulnerability show up even if the project does not use it as a dependency General Help/Support	0	56	February 22, 2024
Debug Prometheus Blackbox Exporter http_2xx probs General Help/Support	1	376	February 22, 2022

Prometheus enables the pprof debug tool by default. How to disable pprof?

Related Topics