GO-2026-4985
- Source
- https://pkg.go.dev/vuln/GO-2026-4985
- Import Source
- https://vuln.go.dev/ID/GO-2026-4985.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GO-2026-4985
- Aliases
- Related
- Published
- 2026-05-26T22:48:49Z
- Modified
- 2026-05-27T14:29:10.488141783Z
- Summary
- Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp
- Details
-
The OTLP HTTP exporters (traces, metrics, and logs) do not limit the size of the HTTP response body read from the collector. A malicious or misconfigured collector can send a large response body, leading to excessive memory consumption and potential process termination (OOM).
- Database specific
{ "url": "https://pkg.go.dev/vuln/GO-2026-4985", "review_status": "REVIEWED" }- References
Affected packages
Go
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
Package
- Name
- go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
- View open source insights on deps.dev
- Purl
- pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.19.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
Package
- Name
- go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
- View open source insights on deps.dev
- Purl
- pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
Package
- Name
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
- View open source insights on deps.dev
- Purl
- pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.43.0