Fluid Attacks Database

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	>=0 <0.19.0	0.19.0
go	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	>=0 <1.43.0	1.43.0
go	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	>=0 <1.43.0	1.43.0
debian 14	golang-opentelemetry-otel	=1.31.0-4 \|\| =1.31.0-5 \|\| =1.31.0-6	-
debian 13	golang-opentelemetry-otel	=1.31.0-4 \|\| =1.31.0-5 \|\| =1.31.0-6	-
debian 12	golang-opentelemetry-otel	=1.1.0-2 \|\| =1.10.0-1 \|\| =1.16.0-1 \|\| =1.16.0-2 \|\| =1.19.0-0 \|\| =1.21.0-1 \|\| =1.21.0-2 \|\| =1.21.0-3 \|\| =1.21.0-4 \|\| =1.31.0-1 \|\| =1.31.0-2 \|\| =1.31.0-3 \|\| =1.31.0-4 \|\| =1.31.0-5 \|\| =1.31.0-6	-

Aliases

1. CVE-2026-398822. NVD-2026-398823. OSV-2026-398824. OSV-DEBIAN-2026-398825. GHSA-w8rr-5gcm-pp586. GCVE-2026-398827. SECURITY-TRACKER-CVE-2026-39882

References

1. https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp582. https://github.com/open-telemetry/opentelemetry-go/pull/81083. http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0