It is currently possible to request arbitrary URLs from chartmuseum which will not be normalized via mapURLWithParamsBackToRouteTemplate(). This means that someone with evil intentions could add a high level of cardinality to that metric leading to potential issues with prometheus.

See zsais/go-gin-prometheus#36