Linux Foundation OpenTelemetry-Go Contrib 0.38.0 for OpenTelemetry-Go
Approved changes feed: RSS · Atom
cpe:2.3:a:linuxfoundation:opentelemetry-go_contrib:0.38.0:*:*:*:*:opentelemetry-go:*:*
part: a version: 0.38.0 update: *
| Vendor | Linuxfoundation (4b459c90-8cdb-5268-beb4-b69b5fe74234) |
|---|---|
| Product | Opentelemetry Go Contrib (04d0cb3f-f54d-5e2c-8ec7-437cc65dea51) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | opentelemetry-go |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/open-telemetry/opentelemetry-go-contrib |
purl2cpe | 2026-06-01 10:13:23.192621 |
pkg:golang/github.com/open-telemetry/opentelemetry-go-contrib |
purl2cpe | 2026-06-01 10:13:23.192624 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2023-25151 |
vulnerable | 2026-06-03 14:49:32.301986 |
DoS vulnerability for high cardinality metrics in opentelemetry-go-contrib
HIGH (7.5)
opentelemetry-go-contrib is a collection of extensions for OpenTelemetry-Go. The v0.38.0 release of `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` uses the `httpconv.ServerRequest` function to annotate metric measurements for the `http.server.request_content_length`, `http.server.response_content_length`, and `http.server.duration` instruments. The `ServerRequest` function sets the `http.target` attribute value to be the whole request URI (including the query string)[^1]. The metric instruments do not "forget" previous measurement attributes when `cumulative` temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack. This issue has been addressed in version 0.39.0. Users are advised to upgrade. There are no known workarounds for this issue.
Published: 2023-02-08T19:21:37.401Z
Updated: 2025-03-10T21:14:51.700Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.