Skip to content

Update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [SECURITY] - autoclosed#4224

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-go.opentelemetry.io-otel-exporters-otlp-otlpmetric-otlpmetrichttp-vulnerability
Closed

Update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [SECURITY] - autoclosed#4224
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-go.opentelemetry.io-otel-exporters-otlp-otlpmetric-otlpmetrichttp-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0v1.43.0 age confidence

opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

CVE-2026-39882 / GHSA-w8rr-5gcm-pp58

More information

Details

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

  • exporters/otlp/otlptrace/otlptracehttp/client.go:199
  • exporters/otlp/otlptrace/otlptracehttp/client.go:230
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
  • exporters/otlp/otlplog/otlploghttp/client.go:190
  • exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  • go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
  • go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp)

v1.43.0: /v0.65.0/v0.19.0

Compare Source

Added

  • Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace
    for W3C Trace Context Level 2 Random Trace ID Flag support. (#​8012)
  • Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#​7642)
  • Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#​8051)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8038)
  • Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric.
    Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#​8060)
  • Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#​7855)

Changed

  • Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#​8038)
  • Refactor slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#​8039)
  • Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#​8067)
  • Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8073)

Deprecated

  • Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#​8038)

Fixed

  • Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to
    make the implementation spec-compliant. (#​8027)
  • Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#​8056)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#​8113)
  • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#​8096)

What's Changed

New Contributors

Full Changelog: open-telemetry/opentelemetry-go@v1.42.0...v1.43.0


Configuration

📅 Schedule: (in timezone Etc/UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the security label Apr 23, 2026
@renovate renovate Bot enabled auto-merge (squash) April 23, 2026 22:51
@renovate renovate Bot requested a review from a team April 23, 2026 22:51
@renovate

renovate Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: flow/go.sum
Command failed: go get -t ./...
go: downloading go.opentelemetry.io/otel v1.43.0
go: downloading go.opentelemetry.io/otel/metric v1.43.0
go: downloading go.opentelemetry.io/otel/sdk v1.43.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9
go: downloading google.golang.org/grpc v1.80.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0
go: downloading go.opentelemetry.io/otel/sdk/metric v1.43.0
go: downloading go.opentelemetry.io/otel/trace v1.43.0
go: github.com/PeerDB-io/peerdb/flow/activities imports
	github.com/PeerDB-io/peerdb/flow/generated/protos: cannot find module providing package github.com/PeerDB-io/peerdb/flow/generated/protos
go: github.com/PeerDB-io/peerdb/flow/cmd imports
	github.com/PeerDB-io/peerdb/flow/generated/grpc_handler: cannot find module providing package github.com/PeerDB-io/peerdb/flow/generated/grpc_handler
go: github.com/PeerDB-io/peerdb/flow/cmd imports
	github.com/PeerDB-io/peerdb/flow/generated/proto_conversions: cannot find module providing package github.com/PeerDB-io/peerdb/flow/generated/proto_conversions
go: module github.com/aws/aws-sdk-go-v2/feature/s3/manager is deprecated: superceded by feature/s3/transfermanager. See https://github.com/aws/aws-sdk-go-v2/discussions/3306

@codecov

codecov Bot commented Apr 23, 2026

Copy link
Copy Markdown

⚠️ JUnit XML file not found

The CLI was unable to find any JUnit XML files to upload.
For more help, visit our troubleshooting guide.

@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Deterministic build failure: go.sum is missing checksum entries for dozens of transitive dependencies (grpc, otel, genproto, etc.), preventing the binary from compiling at all — no tests were run.
Confidence: 0.97

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-exporters-otlp-otlpmetric-otlpmetrichttp-vulnerability branch from 7128bef to 72b3716 Compare April 23, 2026 23:28
@renovate renovate Bot requested a review from a team April 23, 2026 23:28
@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Deterministic build failure: the Go go.sum file is missing entries for dozens of transitive dependencies (grpc, otel, genproto, etc.), causing the build to fail before any tests run — likely triggered by a recent dependency update that wasn't accompanied by go mod tidy.
Confidence: 0.97

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-exporters-otlp-otlpmetric-otlpmetrichttp-vulnerability branch from 72b3716 to cc32ffa Compare April 24, 2026 02:06
@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Deterministic build failure: the Go module's go.sum file is missing checksum entries for dozens of required packages (grpc, otel, genproto, etc.), causing the build to fail before any tests can run.
Confidence: 0.98

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-exporters-otlp-otlpmetric-otlpmetrichttp-vulnerability branch from cc32ffa to 4f46e87 Compare April 25, 2026 16:31
@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Deterministic build failure caused by missing go.sum entries for dozens of packages (grpc, opentelemetry, genproto, etc.), meaning go.mod was updated but go sum was not regenerated — this will fail on every run until fixed.
Confidence: 0.97

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot changed the title Update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [SECURITY] Update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
auto-merge was automatically disabled April 27, 2026 17:49

Pull request was closed

@renovate renovate Bot deleted the renovate/go-go.opentelemetry.io-otel-exporters-otlp-otlpmetric-otlpmetrichttp-vulnerability branch April 27, 2026 17:49
@renovate renovate Bot changed the title Update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [SECURITY] - autoclosed Update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-exporters-otlp-otlpmetric-otlpmetrichttp-vulnerability branch 2 times, most recently from 4f46e87 to f2ecc43 Compare April 27, 2026 21:46
@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: The build failed with dozens of "missing go.sum entry" errors for packages like google.golang.org/grpc, go.opentelemetry.io/otel, and others, indicating the go.sum file is out of sync with go.mod — a deterministic build breakage, not a flaky test.
Confidence: 0.98

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Deterministic build failure: go.sum is missing checksum entries for many packages (opentelemetry, grpc, genproto), indicating go.mod was updated without running go mod tidy.
Confidence: 0.98

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot enabled auto-merge (squash) April 28, 2026 00:11
@renovate renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-exporters-otlp-otlpmetric-otlpmetrichttp-vulnerability branch from f2ecc43 to d1e4acb Compare April 28, 2026 00:11
@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Build fails deterministically due to missing go.sum entries for multiple packages (grpc, otel, genproto), indicating a dependency update was committed without running go mod tidy.
Confidence: 0.98

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot changed the title Update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [SECURITY] Update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [SECURITY] - autoclosed Apr 28, 2026
@renovate renovate Bot closed this Apr 28, 2026
auto-merge was automatically disabled April 28, 2026 05:51

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant