Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the PrometheusExporter process. An attacker can cause the process to terminate unexpectedly by sending a single malformed HTTP request to the metrics endpoint, resulting in an uncaught exception and process crash.
Note:
This is only exploitable if the application uses the built-in Prometheus exporter server or is configured with the OTEL_METRICS_EXPORTER environment variable including prometheus in combination with either @opentelemetry/sdk-node or @opentelemetry/auto-instrumentations-node.
Workaround
This vulnerability can be mitigated by restricting access to the metrics endpoint using network policies, binding the server to localhost, or placing the endpoint behind a reverse proxy that filters incoming requests.
Remediation
Upgrade @opentelemetry/exporter-prometheus to version 0.217.0 or higher.