GHSA-w8rr-5gcm-pp58

Suggest an improvement
Source
https://github.com/advisories/GHSA-w8rr-5gcm-pp58
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w8rr-5gcm-pp58/GHSA-w8rr-5gcm-pp58.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-w8rr-5gcm-pp58
Aliases
Downstream
Related
Published
2026-04-08T19:22:01Z
Modified
2026-04-09T20:14:19.007079627Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies
Details

overview: this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment. claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned): - exporters/otlp/otlptrace/otlptracehttp/client.go:199 - exporters/otlp/otlptrace/otlptracehttp/client.go:230 - exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170 - exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201 - exporters/otlp/otlplog/otlploghttp/client.go:190 - exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned): - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190 - https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221

root cause: each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact: a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component: - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp - go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

Database specific 
{
    "cwe_ids": [
        "CWE-789"
    ],
    "nvd_published_at": "2026-04-08T21:17:00Z",
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:22:01Z",
    "severity": "MODERATE"
}
References

Affected packages

Go
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp

Package

Name
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
View open source insights on deps.dev
Purl
pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.43.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w8rr-5gcm-pp58/GHSA-w8rr-5gcm-pp58.json"
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp

Package

Name
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
View open source insights on deps.dev
Purl
pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.43.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w8rr-5gcm-pp58/GHSA-w8rr-5gcm-pp58.json"
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

Package

Name
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
View open source insights on deps.dev
Purl
pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.19.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w8rr-5gcm-pp58/GHSA-w8rr-5gcm-pp58.json"