chore(deps): update module go.opentelemetry.io/otel to v1.41.0 [security]

[tagoro9-renovatebot]

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel	v1.37.0 -> v1.41.0

GitHub Vulnerability Alerts

CVE-2026-29181

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links

• repository: https://github.com/open-telemetry/opentelemetry-go
• pinned callsite: https://github.com/open-telemetry/opentelemetry-go/blob/1ee4a4126dbdd1bc79e9fae072fa488beffac52a/propagation/baggage.go#L58

vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage)
attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

• canonical: per_req_alloc_bytes=10315458 and p95_ms=7
• control: per_req_alloc_bytes=133429 and p95_ms=0

proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget.
actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip
PR_DESCRIPTION.md

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)

v1.41.0: /v0.63.0/v0.17.0/v0.0.15

Compare Source

This release is the last to support Go 1.24. The next release will require at least Go 1.25.

Added

• Support testing of Go 1.26. (#​7902)

Fixed

• Update Baggage in go.opentelemetry.io/otel/propagation and Parse and New in go.opentelemetry.io/otel/baggage to comply with W3C Baggage specification limits. New and Parse now return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. (#​7880)

What's Changed

• fix(deps): update googleapis to ce8ad4c by @​renovate[bot] in #​7860
• chore(deps): update otel/weaver docker tag to v0.21.0 by @​renovate[bot] in #​7865
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.51.0 by @​renovate[bot] in #​7863
• chore(deps): update golang.org/x/telemetry digest to fe4bb1c by @​renovate[bot] in #​7861
• chore(deps): update golang.org/x/telemetry digest to aaaaaa5 by @​renovate[bot] in #​7869
• sdk/log/observ: guard LogProcessed with Enabled by @​NesterovYehor in #​7848
• stdouttrace observability: skip metric work when instruments are disabled by @​NesterovYehor in #​7853
• chore(deps): update otel/weaver docker tag to v0.21.2 by @​renovate[bot] in #​7870
• fix(deps): update googleapis to 546029d by @​renovate[bot] in #​7871
• stdoutmetric observ: skip metric work when instruments are disabled by @​NesterovYehor in #​7868
• chore(deps): update fossas/fossa-action action to v1.8.0 by @​renovate[bot] in #​7879
• chore(deps): update github/codeql-action action to v4.32.2 by @​renovate[bot] in #​7878
• chore(deps): update module github.com/ghostiam/protogetter to v0.3.20 by @​renovate[bot] in #​7877
• chore(deps): update golang.org/x/telemetry digest to 86a5c4b by @​renovate[bot] in #​7876
• fix(deps): update module golang.org/x/sys to v0.41.0 by @​renovate[bot] in #​7885
• chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.6.0 by @​renovate[bot] in #​7884
• Checked if instrument enabled before measuring in prometheus by @​itssaharsh in #​7866
• exporter/otlploghttp: guard observ metrics with Enabled checks by @​NesterovYehor in #​7813
• chore(deps): update module github.com/go-git/go-git/v5 to v5.16.5 by @​renovate[bot] in #​7886
• chore(deps): update golang.org/x by @​renovate[bot] in #​7887
• fix(deps): update golang.org/x by @​renovate[bot] in #​7890
• fix(deps): update golang.org/x to 2842357 by @​renovate[bot] in #​7891
• fix(deps): update googleapis to 4cfbd41 by @​renovate[bot] in #​7889
• Checked if instrument enabled before measuring in oteltracegrpc by @​itssaharsh in #​7825
• Checked if Instrument Enabled before measuring in otlpgrpc by @​itssaharsh in #​7824
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27.8 by @​renovate[bot] in #​7892
• chore(deps): update module github.com/golangci/golines to v0.15.0 by @​renovate[bot] in #​7893
• chore(deps): update module github.com/golangci/misspell to v0.8.0 by @​renovate[bot] in #​7894
• chore(deps): update golang.org/x/telemetry digest to 9f66fae by @​renovate[bot] in #​7898
• fix(deps): update module google.golang.org/grpc to v1.79.0 by @​renovate[bot] in #​7906
• Support Go 1.26 by @​dmathieu in #​7902
• fix(deps): update module google.golang.org/grpc to v1.79.1 by @​renovate[bot] in #​7908
• chore(deps): update github/codeql-action action to v4.32.3 by @​renovate[bot] in #​7909
• chore(deps): update module github.com/kevinburke/ssh_config to v1.5.0 by @​renovate[bot] in #​7911
• chore(deps): update module github.com/kevinburke/ssh_config to v1.6.0 by @​renovate[bot] in #​7913
• chore(deps): update actions/stale action to v10.2.0 by @​renovate[bot] in #​7917
• chore(deps): update module github.com/godoc-lint/godoc-lint to v0.11.2 by @​renovate[bot] in #​7916
• chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.7.0 by @​renovate[bot] in #​7915
• chore(deps): update module github.com/mattn/go-runewidth to v0.0.20 by @​renovate[bot] in #​7918
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.28.0 by @​renovate[bot] in #​7921
• Checked if Operation Enabled in otlptracehttp before performing operation by @​itssaharsh in #​7881
• chore(deps): update github/codeql-action action to v4.32.4 by @​renovate[bot] in #​7936
• chore(deps): update module github.com/mirrexone/unqueryvet to v1.5.4 by @​renovate[bot] in #​7939
• chore(deps): update module github.com/uudashr/gocognit to v1.2.1 by @​renovate[bot] in #​7947
• chore(deps): update module github.com/alexkohler/prealloc to v1.0.3 by @​renovate[bot] in #​7950
• chore(deps): update module github.com/go-git/go-billy/v5 to v5.8.0 by @​renovate[bot] in #​7953
• chore(deps): update lycheeverse/lychee-action action to v2.8.0 by @​renovate[bot] in #​7959
• chore(deps): update module github.com/go-git/go-git/v5 to v5.17.0 by @​renovate[bot] in #​7960
• chore(deps): update actions/setup-go action to v6.3.0 by @​renovate[bot] in #​7962
• Document metric api interfaces that methods need to be safe to be called concurrently by @​dashpole in #​7952
• ci: add govulncheck job to CI workflow and update lint target by @​pellared in #​7971
• Comply with W3C Baggage specification limits by @​XSAM in #​7880
• chore(deps): update module github.com/mgechev/revive to v1.14.0 by @​renovate[bot] in #​7895
• chore(deps): update github artifact actions (major) by @​renovate[bot] in #​7963
• chore(deps): update module github.com/kisielk/errcheck to v1.10.0 by @​renovate[bot] in #​7967
• chore(deps): update module github.com/protonmail/go-crypto to v1.4.0 by @​renovate[bot] in #​7969
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to d566b4d by @​renovate[bot] in #​7972
• chore(deps): update module github.com/sonatard/noctx to v0.5.0 by @​renovate[bot] in #​7968
• chore(deps): update module github.com/daixiang0/gci to v0.14.0 by @​renovate[bot] in #​7973
• chore(deps): update module github.com/securego/gosec/v2 to v2.23.0 by @​renovate[bot] in #​7899
• Generate semconv/v1.40.0 by @​ChrsMark in #​7929
• Revert "Generate semconv/v1.40.0" by @​dmathieu in #​7978
• chore(deps): update github/codeql-action action to v4.32.5 by @​renovate[bot] in #​7980
• fix: add error handling for insecure HTTP endpoints with TLS client configuration by @​sandy2008 in #​7914
• Release 1.41.0/0.63.0/0.17.0/0.0.15 by @​pellared in #​7977

New Contributors

• @​NesterovYehor made their first contribution in #​7848
• @​sandy2008 made their first contribution in #​7914

Full Changelog: open-telemetry/opentelemetry-go@v1.40.0...v1.41.0

v1.40.0

Compare Source

Added

• Add go.opentelemetry.io/otel/semconv/v1.40.0 package.
  The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions.
  See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#​7985)
• Add Err and SetErr on Record in go.opentelemetry.io/otel/log to attach an error and set record exception attributes in go.opentelemetry.io/otel/log/sdk. (#​7924)

Changed

• TracerProvider.ForceFlush in go.opentelemetry.io/otel/sdk/trace joins errors together and continues iteration through SpanProcessors as opposed to returning the first encountered error without attempting exports on subsequent SpanProcessors. (#​7856)

Fixed

• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to correctly handle HTTP2 GOAWAY frame. (#​7931)
• Fix semconv v1.39.0 generated metric helpers skipping required attributes when extra attributes were empty. (#​7964)
• Preserve W3C TraceFlags bitmask (including the random Trace ID flag) during trace context extraction and injection in go.opentelemetry.io/otel/propagation. (#​7834)

Removed

• Drop support for [Go 1.24]. (#​7984)

v1.39.0

Compare Source

Added

• Add go.opentelemetry.io/otel/semconv/v1.40.0 package.
  The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions.
  See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#​7985)
• Add Err and SetErr on Record in go.opentelemetry.io/otel/log to attach an error and set record exception attributes in go.opentelemetry.io/otel/log/sdk. (#​7924)

Changed

• TracerProvider.ForceFlush in go.opentelemetry.io/otel/sdk/trace joins errors together and continues iteration through SpanProcessors as opposed to returning the first encountered error without attempting exports on subsequent SpanProcessors. (#​7856)

Fixed

• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to correctly handle HTTP2 GOAWAY frame. (#​7931)
• Fix semconv v1.39.0 generated metric helpers skipping required attributes when extra attributes were empty. (#​7964)
• Preserve W3C TraceFlags bitmask (including the random Trace ID flag) during trace context extraction and injection in go.opentelemetry.io/otel/propagation. (#​7834)

Removed

• Drop support for [Go 1.24]. (#​7984)

v1.38.0

Compare Source

Added

• Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#​7724)
• Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric.
  This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#​7763)
• Add go.opentelemetry.io/otel/semconv/v1.39.0 package.
  The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions.
  See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#​7783, #​7789)

Changed

• Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#​7443)
• Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#​7447)
• Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#​7474)
• Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#​7478)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#​7492)
• Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus.
  This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#​7688)
• Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#​7702)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#​7854)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#​7854)

Fixed

• Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#​7662)
• Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#​7662)
• Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#​7662)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP/2 GOAWAY frame. (#​7794)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#​7818)

Deprecated

• Deprecate go.opentelemetry.io/otel/exporters/zipkin.
  For more information, see the OTel blog post deprecating the Zipkin exporter. (#​7670)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[tagoro9-renovatebot]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/otel/metric	v1.37.0 -> v1.41.0
go.opentelemetry.io/otel/trace	v1.37.0 -> v1.41.0

[github-actions]

Release notes preview

No new release will be created.

If you are expecting a release, you will need to either fix a bug or add a feature.
Chores, CI, docs, refactoring, style and other changes will not trigger a release.