Skip to content

chore(deps): update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [security]#531

Open
renovate-sh-app[bot] wants to merge 1 commit intomainfrom
renovate/go-go.opentelemetry.io-otel-exporters-otlp-otlpmetric-otlpmetrichttp-vulnerability
Open

chore(deps): update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [security]#531
renovate-sh-app[bot] wants to merge 1 commit intomainfrom
renovate/go-go.opentelemetry.io-otel-exporters-otlp-otlpmetric-otlpmetrichttp-vulnerability

Conversation

@renovate-sh-app
Copy link
Copy Markdown
Contributor

@renovate-sh-app renovate-sh-app Bot commented Apr 8, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.36.0v1.43.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-39882

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

  • exporters/otlp/otlptrace/otlptracehttp/client.go:199
  • exporters/otlp/otlptrace/otlptracehttp/client.go:230
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
  • exporters/otlp/otlplog/otlploghttp/client.go:190
  • exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  • go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
  • go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

Severity
  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

CVE-2026-39882 / GHSA-w8rr-5gcm-pp58

More information

Details

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

  • exporters/otlp/otlptrace/otlptracehttp/client.go:199
  • exporters/otlp/otlptrace/otlptracehttp/client.go:230
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
  • exporters/otlp/otlplog/otlploghttp/client.go:190
  • exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  • go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
  • go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp)

v1.43.0

Compare Source

v1.42.0

Compare Source

v1.41.0

Compare Source

v1.40.0

Compare Source

v1.39.0

Compare Source

v1.38.0: /v0.60.0/v0.14.0/v0.0.13

Compare Source

Overview

This release is the last to support Go 1.23. The next release will require at least Go 1.24.

Added
  • Add native histogram exemplar support in go.opentelemetry.io/otel/exporters/prometheus. (#​6772)
  • Add template attribute functions to the go.opentelmetry.io/otel/semconv/v1.34.0 package. (#​6939)
    • ContainerLabel
    • DBOperationParameter
    • DBSystemParameter
    • HTTPRequestHeader
    • HTTPResponseHeader
    • K8SCronJobAnnotation
    • K8SCronJobLabel
    • K8SDaemonSetAnnotation
    • K8SDaemonSetLabel
    • K8SDeploymentAnnotation
    • K8SDeploymentLabel
    • K8SJobAnnotation
    • K8SJobLabel
    • K8SNamespaceAnnotation
    • K8SNamespaceLabel
    • K8SNodeAnnotation
    • K8SNodeLabel
    • K8SPodAnnotation
    • K8SPodLabel
    • K8SReplicaSetAnnotation
    • K8SReplicaSetLabel
    • K8SStatefulSetAnnotation
    • K8SStatefulSetLabel
    • ProcessEnvironmentVariable
    • RPCConnectRPCRequestMetadata
    • RPCConnectRPCResponseMetadata
    • RPCGRPCRequestMetadata
    • RPCGRPCResponseMetadata
  • Add ErrorType attribute helper function to the go.opentelmetry.io/otel/semconv/v1.34.0 package. (#​6962)
  • Add WithAllowKeyDuplication in go.opentelemetry.io/otel/sdk/log which can be used to disable deduplication for log records. (#​6968)
  • Add WithCardinalityLimit option to configure the cardinality limit in go.opentelemetry.io/otel/sdk/metric. (#​6996, #​7065, #​7081, #​7164, #​7165, #​7179)
  • Add Clone method to Record in go.opentelemetry.io/otel/log that returns a copy of the record with no shared state. (#​7001)
  • Add experimental self-observability span and batch span processor metrics in go.opentelemetry.io/otel/sdk/trace. Check the go.opentelemetry.io/otel/sdk/trace/internal/x package documentation for more information. (#​7027, #​6393, #​7209)
  • The go.opentelemetry.io/otel/semconv/v1.36.0 package. The package contains semantic conventions from the v1.36.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.34.0.(#​7032, #​7041)
  • Add support for configuring Prometheus name translation using WithTranslationStrategy option in go.opentelemetry.io/otel/exporters/prometheus. The current default translation strategy when UTF-8 mode is enabled is NoUTF8EscapingWithSuffixes, but a future release will change the default strategy to UnderscoreEscapingWithSuffixes for compliance with the specification. (#​7111)
  • Add experimental self-observability log metrics in go.opentelemetry.io/otel/sdk/log. Check the go.opentelemetry.io/otel/sdk/log/internal/x package documentation for more information. (#​7121)
  • Add experimental self-observability trace exporter metrics in go.opentelemetry.io/otel/exporters/stdout/stdouttrace. Check the go.opentelemetry.io/otel/exporters/stdout/stdouttrace/internal/x package documentation for more information. (#​7133)
  • Support testing of [Go 1.25]. (#​7187)
  • The go.opentelemetry.io/otel/semconv/v1.37.0 package. The package contains semantic conventions from the v1.37.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.36.0.(#​7254)
Changed
  • Optimize TraceIDFromHex and SpanIDFromHex in go.opentelemetry.io/otel/sdk/trace. (#​6791)
  • Change AssertEqual in go.opentelemetry.io/otel/log/logtest to accept TestingT in order to support benchmarks and fuzz tests. (#​6908)
  • Change DefaultExemplarReservoirProviderSelector in go.opentelemetry.io/otel/sdk/metric to use runtime.GOMAXPROCS(0) instead of runtime.NumCPU() for the FixedSizeReservoirProvider default size. (#​7094)
Fixed
  • SetBody method of Record in go.opentelemetry.io/otel/sdk/log now deduplicates key-value collections (log.Value of log.KindMap from go.opentelemetry.io/otel/log). (#​7002)
  • Fix go.opentelemetry.io/otel/exporters/prometheus to not append a suffix if it's already present in metric name. (#​7088)
  • Fix the go.opentelemetry.io/otel/exporters/stdout/stdouttrace self-observability component type and name. (#​7195)
  • Fix partial export count metric in go.opentelemetry.io/otel/exporters/stdout/stdouttrace. (#​7199)
Deprecated
  • Deprecate WithoutUnits and WithoutCounterSuffixes options, preferring WithTranslationStrategy instead. (#​7111)
  • Deprecate support for OTEL_GO_X_CARDINALITY_LIMIT environment variable in go.opentelemetry.io/otel/sdk/metric. Use WithCardinalityLimit option instead. (#​7166)
What's Changed
New Contributors

Full Changelog: open-telemetry/opentelemetry-go@exporters/prometheus/v0.59.1...v1.38.0

v1.37.0: Release 1.37.0/0.59.0/0.13.0

Compare Source

Added
  • The go.opentelemetry.io/otel/semconv/v1.33.0 package.
    The package contains semantic conventions from the v1.33.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.32.0.(#​6799)
  • The go.opentelemetry.io/otel/semconv/v1.34.0 package.
    The package contains semantic conventions from the v1.34.0 version of the OpenTelemetry Semantic Conventions. (#​6812)
  • Add metric's schema URL as otel_scope_schema_url label in go.opentelemetry.io/otel/exporters/prometheus. (#​5947)
  • Add metric's scope attributes as otel_scope_[attribute] labels in go.opentelemetry.io/otel/exporters/prometheus. (#​5947)
  • Add EventName to EnabledParameters in go.opentelemetry.io/otel/log. (#​6825)
  • Add EventName to EnabledParameters in go.opentelemetry.io/otel/sdk/log. (#​6825)
  • Changed handling of go.opentelemetry.io/otel/exporters/prometheus metric renaming to add unit suffixes when it doesn't match one of the pre-defined values in the unit suffix map. (#​6839)
Changed
  • The semantic conventions have been upgraded from v1.26.0 to v1.34.0 in go.opentelemetry.io/otel/bridge/opentracing. (#​6827)
  • The semantic conventions have been upgraded from v1.26.0 to v1.34.0 in go.opentelemetry.io/otel/exporters/zipkin. (#​6829)
  • The semantic conventions have been upgraded from v1.26.0 to v1.34.0 in go.opentelemetry.io/otel/metric. (#​6832)
  • The semantic conventions have been upgraded from v1.26.0 to v1.34.0 in go.opentelemetry.io/otel/sdk/resource. (#​6834)
  • The semantic conventions have been upgraded from v1.26.0 to v1.34.0 in go.opentelemetry.io/otel/sdk/trace. (#​6835)
  • The semantic conventions have been upgraded from v1.26.0 to v1.34.0 in go.opentelemetry.io/otel/trace. (#​6836)
  • Record.Resource now retu

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app
chore(deps): update module go.opentelemetry.io/otel/exporters/otlp/ot…
cd49bd3 
…lpmetric/otlpmetrichttp to v1.43.0 [security]

| datasource | package                                                           | from    | to      |
| ---------- | ----------------------------------------------------------------- | ------- | ------- |
| go         | go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp | v1.36.0 | v1.43.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app Bot requested a review from a team as a code owner April 8, 2026 19:42
@renovate-sh-app renovate-sh-app Bot enabled auto-merge (squash) April 8, 2026 19:42
@github-project-automation github-project-automation Bot moved this to In review in Alerting Apr 8, 2026
@renovate-sh-app
Copy link
Copy Markdown
Contributor Author

renovate-sh-app Bot commented Apr 8, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 22 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.0 -> 1.25.0
github.com/stretchr/testify v1.10.0 -> v1.11.1
go.opentelemetry.io/otel v1.37.0 -> v1.43.0
go.opentelemetry.io/otel/trace v1.37.0 -> v1.43.0
golang.org/x/net v0.44.0 -> v0.52.0
golang.org/x/oauth2 v0.31.0 -> v0.35.0
golang.org/x/sync v0.17.0 -> v0.20.0
github.com/cenkalti/backoff/v5 v5.0.2 -> v5.0.3
github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 -> v2.28.0
go.opentelemetry.io/auto/sdk v1.1.0 -> v1.2.1
go.opentelemetry.io/otel/metric v1.37.0 -> v1.43.0
go.opentelemetry.io/otel/sdk v1.37.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric v1.37.0 -> v1.43.0
go.opentelemetry.io/proto/otlp v1.6.0 -> v1.10.0
golang.org/x/crypto v0.42.0 -> v0.49.0
golang.org/x/mod v0.27.0 -> v0.33.0
golang.org/x/sys v0.36.0 -> v0.42.0
golang.org/x/text v0.29.0 -> v0.35.0
golang.org/x/tools v0.36.0 -> v0.42.0
google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/grpc v1.75.1 -> v1.80.0
google.golang.org/protobuf v1.36.10 -> v1.36.11

cursor[bot]
cursor Bot reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix prepared a fix for the issue found in the latest run.

  • ✅ Fixed: go.work version conflicts with updated go.mod version
    • Updated go.work from go 1.24.4 to go 1.25.0 to match the module’s minimum Go version and prevent workspace version mismatch issues.

Create PR

Or push these changes by commenting:

@cursor push 396aa07a62
Preview (396aa07a62) 
diff --git a/go.work b/go.work
--- a/go.work
+++ b/go.work
@@ -1,4 +1,4 @@
-go 1.24.4
+go 1.25.0
 
 use (
 	.

You can send follow-ups to the cloud agent here.

Reviewed by Cursor Bugbot for commit cd49bd3. Configure here.

Comment thread go.mod
go 1.24.0

toolchain go1.24.4
go 1.25.0
Copy link
Copy Markdown

@cursor cursor Bot Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

go.work version conflicts with updated go.mod version

Medium Severity

The go directive in go.mod was bumped from 1.24.0 to 1.25.0 (required by the updated otel v1.43.0 dependencies), but the go.work file was not updated and still declares go 1.24.4. This creates a version mismatch in the Go workspace. Developers using Go 1.24.x in workspace mode will encounter build failures or unexpected toolchain auto-download behavior, since the main module now requires Go 1.25.0. The go.work file needs to be updated to at least go 1.25.0 to stay consistent.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit cd49bd3. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automerge-security-update severity:MEDIUM update-minor

Projects

Alerting
Status: In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants