logo

Port 9090 – Prometheus (Prometheus Monitoring)

Service:

http

Protocol:

TCP

Port:

9090

Used for:

Metrics and monitoring interfaces

Why It’s Open

Port 9090 is primarily used by Prometheus, an open-source monitoring and alerting toolkit. It serves as the default port for Prometheus’s web interface and API endpoints. Other web services and internal dashboards also use this port in development environments and cloud-native applications.

Organizations use this port for system metrics collection, real-time performance monitoring, and infrastructure visibility—especially in Kubernetes clusters, DevOps pipelines, and observability stacks.

Common Risks

  • Unauthorized Access
    Exposed endpoints may leak system internals to unauthenticated users.
  • Data Exposure
    Historical metrics may reveal sensitive infrastructure behavior or user activity.
  • Authentication Bypass
    Prometheus often runs without any built-in access control.
  • Query Injection
    Malicious or malformed PromQL queries may cause resource overuse or crash monitoring processes.
  • Resource Exhaustion
    Unrestricted access allows heavy or repeated metric queries, degrading performance.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Basic port scan:

Terminal window
nmap -sV -p 9090

Prometheus check:

Terminal window
curl -v http://:9090/metrics

API endpoint test:

Terminal window
curl -v http://:9090/api/v1/status/config

Web interface scan:

Terminal window
nikto -h  -p 9090

What to Look For

CheckpointWhat it means
Exposed metricsInternal system data publicly accessible
No authenticationPrometheus instance lacks access control
Query endpointsInterface may allow injected/malicious queries
Alert rules visibleReveals monitoring logic and internal structure
Debug featuresApplication development internals exposed

Mitigation

  • Access Control
    Protect Prometheus endpoints with a reverse proxy and strong authentication (e.g., OAuth2, Basic Auth, SSO).
  • Network Restriction
    Restrict port 9090 to internal or VPN-only access.
  • TLS Encryption
    Use HTTPS to prevent MITM attacks.
  • Query Limits
    Apply limits and timeouts to PromQL queries to prevent abuse.
  • Metric Filtering
    Avoid exposing sensitive metrics like system paths, credentials, or tokens.
  • Regular Updates
    Patch Prometheus, Grafana, and other monitoring tools frequently.
  • Audit Logging
    Enable detailed access logs to detect enumeration or brute-force attempts.

TL;DR

  • Port 9090 = Prometheus / Monitoring
  • Exposes metrics, alerts, and internal topology
  • Lacks default access control
  • High risk if open to public
  • Enforce auth, TLS, and IP filtering
  • Regularly audit and update

Known CVEs and Exploits

  • CVE-2023-40577 – XSS in Alertmanager’s /api/v1/alerts, allows arbitrary script execution
  • CVE-2025-3454 – Grafana proxy API bypass, permits unauthorized GET requests to Prometheus
  • CVE-2025-3145 – Prometheus-Grafana integration leaks alert contact configuration data