What happened?
The OTLP HTTP exporter currently reads successful HTTP response bodies fully into memory before parsing partial-success responses. In the optional hyper client, non-2xx bodies are also fully collected before status handling. Because the default build uses reqwest-blocking, a malicious or compromised OTLP endpoint can return a very large response and cause memory exhaustion / DoS in the application process. The HTTP transport should enforce a small response-body limit and avoid reading non-success bodies entirely.
Refer discussion - https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58#advisory-comment-180536
OpenTelemetry API Version (i.e version of opentelemetry crate)
0.31.1
OpenTelemetry SDK Version (i.e version of opentelemetry_sdk crate)
0.31.1
What Exporter(s) are you seeing the problem on?
OTLP
Relevant log output
Tip
React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.
What happened?
The OTLP HTTP exporter currently reads successful HTTP response bodies fully into memory before parsing partial-success responses. In the optional hyper client, non-2xx bodies are also fully collected before status handling. Because the default build uses reqwest-blocking, a malicious or compromised OTLP endpoint can return a very large response and cause memory exhaustion / DoS in the application process. The HTTP transport should enforce a small response-body limit and avoid reading non-success bodies entirely.
Refer discussion - https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58#advisory-comment-180536
OpenTelemetry API Version (i.e version of
opentelemetrycrate)0.31.1
OpenTelemetry SDK Version (i.e version of
opentelemetry_sdkcrate)0.31.1
What Exporter(s) are you seeing the problem on?
OTLP
Relevant log output
Tip
React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding
+1orme too, to help us triage it. Learn more here.