Vulnerabilities

 1 via 8 paths

Dependencies

 28

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: @opentelemetry/core
  • Introduced through: @opentelemetry/otlp-transformer@0.214.0

Detailed paths

  • Introduced through: @darkhunt-security/telemetry@darkhunt-security/darkhunt-telemetry-ts @opentelemetry/otlp-transformer@0.214.0 @opentelemetry/core@2.6.1
    Remediation: Upgrade to @opentelemetry/otlp-transformer@0.219.0.
  • Introduced through: @darkhunt-security/telemetry@darkhunt-security/darkhunt-telemetry-ts @opentelemetry/otlp-transformer@0.214.0 @opentelemetry/resources@2.6.1 @opentelemetry/core@2.6.1
    Remediation: Upgrade to @opentelemetry/otlp-transformer@0.219.0.
  • Introduced through: @darkhunt-security/telemetry@darkhunt-security/darkhunt-telemetry-ts @opentelemetry/otlp-transformer@0.214.0 @opentelemetry/sdk-logs@0.214.0 @opentelemetry/core@2.6.1
    Remediation: Upgrade to @opentelemetry/otlp-transformer@0.219.0.
  • Introduced through: @darkhunt-security/telemetry@darkhunt-security/darkhunt-telemetry-ts @opentelemetry/otlp-transformer@0.214.0 @opentelemetry/sdk-metrics@2.6.1 @opentelemetry/core@2.6.1
    Remediation: Upgrade to @opentelemetry/otlp-transformer@0.219.0.
  • Introduced through: @darkhunt-security/telemetry@darkhunt-security/darkhunt-telemetry-ts @opentelemetry/otlp-transformer@0.214.0 @opentelemetry/sdk-trace-base@2.6.1 @opentelemetry/core@2.6.1
    Remediation: Upgrade to @opentelemetry/otlp-transformer@0.219.0.
  • Introduced through: @darkhunt-security/telemetry@darkhunt-security/darkhunt-telemetry-ts @opentelemetry/otlp-transformer@0.214.0 @opentelemetry/sdk-logs@0.214.0 @opentelemetry/resources@2.6.1 @opentelemetry/core@2.6.1
    Remediation: Upgrade to @opentelemetry/otlp-transformer@0.219.0.
  • Introduced through: @darkhunt-security/telemetry@darkhunt-security/darkhunt-telemetry-ts @opentelemetry/otlp-transformer@0.214.0 @opentelemetry/sdk-metrics@2.6.1 @opentelemetry/resources@2.6.1 @opentelemetry/core@2.6.1
    Remediation: Upgrade to @opentelemetry/otlp-transformer@0.219.0.
  • Introduced through: @darkhunt-security/telemetry@darkhunt-security/darkhunt-telemetry-ts @opentelemetry/otlp-transformer@0.214.0 @opentelemetry/sdk-trace-base@2.6.1 @opentelemetry/resources@2.6.1 @opentelemetry/core@2.6.1
    Remediation: Upgrade to @opentelemetry/otlp-transformer@0.219.0.

Overview

@opentelemetry/core is an OpenTelemetry Core provides constants and utilities shared by all OpenTelemetry SDK packages.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the extract function. An attacker can cause excessive memory allocation by sending oversized baggage HTTP headers or equivalent data via non-HTTP transports.

Note: This is only exploitable if the deployment does not enforce transport-layer header size limits, such as when using custom transports or when default HTTP header size limits are increased.

Workaround

This vulnerability can be mitigated by configuring strict header size limits at the server or gateway level, or by validating input size before passing it to the propagator in non-HTTP transports.

Remediation

Upgrade @opentelemetry/core to version 2.8.0 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report