fix(deps): update module go.opentelemetry.io/otel to v1.41.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel	v1.40.0 → v1.41.0

---

OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

CVE-2026-29181 / GHSA-mh2q-q3fh-2475

More information

Details

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links

• repository: https://github.com/open-telemetry/opentelemetry-go
• pinned callsite: https://github.com/open-telemetry/opentelemetry-go/blob/1ee4a4126dbdd1bc79e9fae072fa488beffac52a/propagation/baggage.go#L58

vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage)
attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

• canonical: per_req_alloc_bytes=10315458 and p95_ms=7
• control: per_req_alloc_bytes=133429 and p95_ms=0

proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget.
actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip
PR_DESCRIPTION.md

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475
• https://github.com/open-telemetry/opentelemetry-go/pull/7880
• https://github.com/open-telemetry/opentelemetry-go/commit/aa1894e09e3fe66860c7885cb40f98901b35277f
• https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.41.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-29181
• https://github.com/advisories/GHSA-mh2q-q3fh-2475

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)

v1.41.0: /v0.63.0/v0.17.0/v0.0.15

Compare Source

This release is the last to support Go 1.24. The next release will require at least Go 1.25.

Added

• Support testing of Go 1.26. (#​7902)

Fixed

• Update Baggage in go.opentelemetry.io/otel/propagation and Parse and New in go.opentelemetry.io/otel/baggage to comply with W3C Baggage specification limits. New and Parse now return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. (#​7880)

What's Changed

• fix(deps): update googleapis to ce8ad4c by @​renovate[bot] in #​7860
• chore(deps): update otel/weaver docker tag to v0.21.0 by @​renovate[bot] in #​7865
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.51.0 by @​renovate[bot] in #​7863
• chore(deps): update golang.org/x/telemetry digest to fe4bb1c by @​renovate[bot] in #​7861
• chore(deps): update golang.org/x/telemetry digest to aaaaaa5 by @​renovate[bot] in #​7869
• sdk/log/observ: guard LogProcessed with Enabled by @​NesterovYehor in #​7848
• stdouttrace observability: skip metric work when instruments are disabled by @​NesterovYehor in #​7853
• chore(deps): update otel/weaver docker tag to v0.21.2 by @​renovate[bot] in #​7870
• fix(deps): update googleapis to 546029d by @​renovate[bot] in #​7871
• stdoutmetric observ: skip metric work when instruments are disabled by @​NesterovYehor in #​7868
• chore(deps): update fossas/fossa-action action to v1.8.0 by @​renovate[bot] in #​7879
• chore(deps): update github/codeql-action action to v4.32.2 by @​renovate[bot] in #​7878
• chore(deps): update module github.com/ghostiam/protogetter to v0.3.20 by @​renovate[bot] in #​7877
• chore(deps): update golang.org/x/telemetry digest to 86a5c4b by @​renovate[bot] in #​7876
• fix(deps): update module golang.org/x/sys to v0.41.0 by @​renovate[bot] in #​7885
• chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.6.0 by @​renovate[bot] in #​7884
• Checked if instrument enabled before measuring in prometheus by @​itssaharsh in #​7866
• exporter/otlploghttp: guard observ metrics with Enabled checks by @​NesterovYehor in #​7813
• chore(deps): update module github.com/go-git/go-git/v5 to v5.16.5 by @​renovate[bot] in #​7886
• chore(deps): update golang.org/x by @​renovate[bot] in #​7887
• fix(deps): update golang.org/x by @​renovate[bot] in #​7890
• fix(deps): update golang.org/x to 2842357 by @​renovate[bot] in #​7891
• fix(deps): update googleapis to 4cfbd41 by @​renovate[bot] in #​7889
• Checked if instrument enabled before measuring in oteltracegrpc by @​itssaharsh in #​7825
• Checked if Instrument Enabled before measuring in otlpgrpc by @​itssaharsh in #​7824
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27.8 by @​renovate[bot] in #​7892
• chore(deps): update module github.com/golangci/golines to v0.15.0 by @​renovate[bot] in #​7893
• chore(deps): update module github.com/golangci/misspell to v0.8.0 by @​renovate[bot] in #​7894
• chore(deps): update golang.org/x/telemetry digest to 9f66fae by @​renovate[bot] in #​7898
• fix(deps): update module google.golang.org/grpc to v1.79.0 by @​renovate[bot] in #​7906
• Support Go 1.26 by @​dmathieu in #​7902
• fix(deps): update module google.golang.org/grpc to v1.79.1 by @​renovate[bot] in #​7908
• chore(deps): update github/codeql-action action to v4.32.3 by @​renovate[bot] in #​7909
• chore(deps): update module github.com/kevinburke/ssh_config to v1.5.0 by @​renovate[bot] in #​7911
• chore(deps): update module github.com/kevinburke/ssh_config to v1.6.0 by @​renovate[bot] in #​7913
• chore(deps): update actions/stale action to v10.2.0 by @​renovate[bot] in #​7917
• chore(deps): update module github.com/godoc-lint/godoc-lint to v0.11.2 by @​renovate[bot] in #​7916
• chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.7.0 by @​renovate[bot] in #​7915
• chore(deps): update module github.com/mattn/go-runewidth to v0.0.20 by @​renovate[bot] in #​7918
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.28.0 by @​renovate[bot] in #​7921
• Checked if Operation Enabled in otlptracehttp before performing operation by @​itssaharsh in #​7881
• chore(deps): update github/codeql-action action to v4.32.4 by @​renovate[bot] in #​7936
• chore(deps): update module github.com/mirrexone/unqueryvet to v1.5.4 by @​renovate[bot] in #​7939
• chore(deps): update module github.com/uudashr/gocognit to v1.2.1 by @​renovate[bot] in #​7947
• chore(deps): update module github.com/alexkohler/prealloc to v1.0.3 by @​renovate[bot] in #​7950
• chore(deps): update module github.com/go-git/go-billy/v5 to v5.8.0 by @​renovate[bot] in #​7953
• chore(deps): update lycheeverse/lychee-action action to v2.8.0 by @​renovate[bot] in #​7959
• chore(deps): update module github.com/go-git/go-git/v5 to v5.17.0 by @​renovate[bot] in #​7960
• chore(deps): update actions/setup-go action to v6.3.0 by @​renovate[bot] in #​7962
• Document metric api interfaces that methods need to be safe to be called concurrently by @​dashpole in #​7952
• ci: add govulncheck job to CI workflow and update lint target by @​pellared in #​7971
• Comply with W3C Baggage specification limits by @​XSAM in #​7880
• chore(deps): update module github.com/mgechev/revive to v1.14.0 by @​renovate[bot] in #​7895
• chore(deps): update github artifact actions (major) by @​renovate[bot] in #​7963
• chore(deps): update module github.com/kisielk/errcheck to v1.10.0 by @​renovate[bot] in #​7967
• chore(deps): update module github.com/protonmail/go-crypto to v1.4.0 by @​renovate[bot] in #​7969
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to d566b4d by @​renovate[bot] in #​7972
• chore(deps): update module github.com/sonatard/noctx to v0.5.0 by @​renovate[bot] in #​7968
• chore(deps): update module github.com/daixiang0/gci to v0.14.0 by @​renovate[bot] in #​7973
• chore(deps): update module github.com/securego/gosec/v2 to v2.23.0 by @​renovate[bot] in #​7899
• Generate semconv/v1.40.0 by @​ChrsMark in #​7929
• Revert "Generate semconv/v1.40.0" by @​dmathieu in #​7978
• chore(deps): update github/codeql-action action to v4.32.5 by @​renovate[bot] in #​7980
• fix: add error handling for insecure HTTP endpoints with TLS client configuration by @​sandy2008 in #​7914
• Release 1.41.0/0.63.0/0.17.0/0.0.15 by @​pellared in #​7977

New Contributors

• @​NesterovYehor made their first contribution in #​7848
• @​sandy2008 made their first contribution in #​7914

Full Changelog: open-telemetry/opentelemetry-go@v1.40.0...v1.41.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/otel/trace	v1.40.0 -> v1.41.0
go.opentelemetry.io/otel/metric	v1.40.0 -> v1.41.0