Skip to main content

OpenTelemetry JS Prometheus Exporter CVE-2026-44902

| EUVDEUVD-2026-32538 HIGH
Improper Handling of Exceptional Conditions (CWE-755)
2026-05-11 https://github.com/open-telemetry/opentelemetry-js GHSA-q7rr-3cgh-j5r3
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 15:01 vuln.today
Analysis Generated
May 11, 2026 - 15:01 vuln.today
CVE Published
May 11, 2026 - 14:42 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 45 npm packages depend on @opentelemetry/auto-instrumentations-node (34 direct, 12 indirect)
  • 227 npm packages depend on @opentelemetry/exporter-prometheus (7 direct, 220 indirect)
  • 224 npm packages depend on @opentelemetry/sdk-node (90 direct, 138 indirect)

Ecosystem-wide dependent count for version 0.75.0 and other introduced versions.

DescriptionGitHub Advisory

Summary

A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process.

You are affected by this vulnerability if either of the following apply to your application:

  • you directly use @opentelemetry/exporter-prometheus in your code through its built-in server.
  • your OTEL_METRICS_EXPORTER environment variable includes prometheus AND
  • you use @opentelemetry/sdk-node
  • you use @opentelemetry/auto-instrumentations-node via --require @opentelemetry/auto-instrumentations-node/register/--import @opentelemetry/auto-instrumentations-node/register

Impact

Denial of service. Any application using the OpenTelemetry Prometheus exporter’s built-in server can be crashed by a single unauthenticated network packet sent to the metrics port. No authentication, special privileges, or prior access is required.

Remediation

Update to the fixed version

Update @opentelemetry/exporter-prometheus and @opentelemetry/sdk-node to version 0.217.0 or later. Update @opentelemetry/auto-instrumentations-node to version 0.75.0 or later.

This release adds proper error handling around the URL constructor, returning an HTTP 400 response on parse failure rather than allowing the exception to propagate and crash the process.

npm install @opentelemetry/exporter-prometheus@latest

Do Not Expose the Endpoint to Untrusted Users

> [!IMPORTANT] > The following mitigations reduce exposure but do not fully remediate the vulnerability. Any client that *can* reach the metrics endpoint - including your own Prometheus scraper host if compromised - could still trigger the crash. Updating to 0.217.0 is the recommended resolution.

If updating is not immediately feasible, restrict access to the metrics endpoint so that it is not reachable by untrusted or unauthenticated network clients. For example:

  • Bind to localhost only by setting the host option to 127.0.0.1 when configuring the PrometheusExporter, so the port is not exposed on public or shared network interfaces
  • Use a firewall or network policy to restrict access to port 9464 (or whichever port you have configured) to only trusted Prometheus scrape hosts
  • Place the endpoint behind a reverse proxy that filters or validates incoming requests before they reach the exporter

Details

In PrometheusExporter.ts, the _requestHandler calls new URL(request.url, this._baseUrl) without any error handling. Node's HTTP parser accepts absolute-form URIs (e.g. http://) for proxy compatibility, including malformed ones. When request.url is "http://", the URL constructor throws TypeError: Invalid URL. Since there is no try-catch in the handler, the exception propagates as an uncaught exception and crashes the process.

The Prometheus metrics endpoint is unauthenticated by design (Prometheus scrapes it) and binds to 0.0.0.0 by default, meaning it is reachable by any network client that can connect to the metrics port.

Proof of Concept

Start any Node.js application with the Prometheus exporter running on the default port 9464, then send a single raw TCP packet:

echo -ne 'GET http:// HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 9464

The process crashes immediately with:

TypeError: Invalid URL
    at new URL (...)
    at PrometheusExporter._requestHandler (...)

AnalysisAI

Remote unauthenticated attackers can crash Node.js applications running the OpenTelemetry Prometheus exporter by sending a single malformed HTTP request to the metrics endpoint (default port 9464). The vulnerability exists in @opentelemetry/exporter-prometheus versions prior to 0.217.0, where missing error handling around URL parsing causes an uncaught TypeError when processing invalid URIs, terminating the entire Node.js process. The metrics endpoint binds to 0.0.0.0 by default and requires no authentication, making exploitation trivial for any network-accessible attacker. Publicly available exploit code exists (one-line netcat command demonstrated in vendor advisory). No active exploitation confirmed at time of analysis, though the attack complexity is minimal (CVSS AC:L) and the impact severe for production observability infrastructure.

Technical ContextAI

OpenTelemetry is a vendor-neutral observability framework that collects application metrics, traces, and logs. The Prometheus exporter component exposes metrics via HTTP for scraping by Prometheus monitoring systems. This vulnerability stems from CWE-755 (Improper Handling of Exceptional Conditions) in the PrometheusExporter._requestHandler function. Node.js HTTP servers accept absolute-form request URIs (e.g., 'GET http://host/path HTTP/1.1') for HTTP proxy compatibility per RFC 7230. The exporter code passes request.url directly to JavaScript's URL constructor without try-catch blocks. When an attacker sends a malformed absolute URI like 'GET http:// HTTP/1.1', the URL constructor throws TypeError: Invalid URL. Because Node.js treats uncaught exceptions in HTTP request handlers as fatal errors by default, the exception propagates to the event loop and terminates the process with exit code 1. The affected packages include @opentelemetry/exporter-prometheus (core exporter), @opentelemetry/sdk-node (SDK that instantiates exporters based on OTEL_METRICS_EXPORTER environment variable), and @opentelemetry/auto-instrumentations-node (auto-instrumentation wrapper). All three packages share the vulnerable URL parsing code path when Prometheus metrics export is enabled.

RemediationAI

Update affected npm packages to patched versions: @opentelemetry/exporter-prometheus to 0.217.0 or later, @opentelemetry/sdk-node to 0.217.0 or later, and @opentelemetry/auto-instrumentations-node to 0.75.0 or later using 'npm install @opentelemetry/exporter-prometheus@latest @opentelemetry/sdk-node@latest @opentelemetry/auto-instrumentations-node@latest'. The patched releases add try-catch error handling around the URL constructor, returning HTTP 400 Bad Request responses for malformed URIs instead of crashing the process. If immediate patching is not feasible, implement network-level compensating controls with the following trade-offs: (1) Bind metrics endpoint to localhost only by setting host option to '127.0.0.1' in PrometheusExporter configuration - prevents remote exploitation but requires Prometheus scraper to run on same host or use SSH tunneling, complicating distributed monitoring architectures. (2) Restrict port 9464 access via firewall rules to only trusted Prometheus scraper IP addresses - reduces attack surface but does not eliminate risk if scraper host is compromised or if internal network contains malicious actors. (3) Deploy reverse proxy (nginx, Envoy) in front of metrics endpoint with request validation - adds architectural complexity, introduces single point of failure, and incurs latency penalty for metrics collection. Vendor explicitly warns these mitigations 'reduce exposure but do not fully remediate' the vulnerability. Detailed remediation guidance at https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-44902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy