Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, so a single crafted message can terminate telemetry collection for the affected process or node.
Details
MongoDB parsing support was introduced by commit 2070f568a (Add Initial support for mongodb), so the explicit released version minimum affected is v0.1.0.
There are two related panic conditions in released go.opentelemetry.io/obi versions:
- In
v0.1.0throughv0.3.0,parseOpMessagereads OP_MSG flag bits frombuf[msgHeaderSize:msgHeaderSize+int32Size]without first ensuring the buffer is at leastmsgHeaderSize + int32Sizebytes long. A truncated OP_MSG packet can therefore trigger a slice-bounds panic before the parser returns an error. - In
v0.1.0throughv0.3.0,parseSectionsconsumes the section type byte and then reads the document-sequence length frombuf[offSet:offSet+int32Size]without re-validating that enough bytes remain after the type byte. A malformed document-sequence section can therefore trigger another slice-bounds panic. - In
v0.1.0throughv0.8.0,parseFirstFieldassumes the collection name for collection-scoped commands is always a string and performs an unchecked type assertion onfield.Value. A malformed BSON document can therefore trigger a runtime panic withinterface conversioninstead of returning a parse error.
The bounds-check panic was fixed by commit 3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb (Fix MongoDB client panic), which first appears in release v0.4.0. The unchecked BSON type assertion is still present in v0.8.0.
Because this code runs while decoding attacker-controlled MongoDB traffic, the failure mode is process termination rather than graceful rejection of invalid input. In deployments where the telemetry agent monitors traffic from untrusted or partially trusted clients, a single malformed packet can terminate collection until the agent is restarted.
Affected code paths are in pkg/ebpf/common/mongo_detect_transform.go and correspond to parseOpMessage, parseSections, and parseFirstField.
PoC
The following reproductions are fully self-contained. They create a temporary test file inside an affected checkout and then run go test against the real parser code in the repository.
- Reproduce the
v0.1.0throughv0.3.0bounds-check panics:
git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc
cd obi-poc
git checkout v0.3.0
cat > pkg/ebpf/common/mongo_security_poc_test.go <<'EOF'
package ebpfcommon
import "testing"
func TestSecurityPoCParseOpMessageShortPanics(t *testing.T) {
parseOpMessage(make([]byte, 16), 0, false, nil)
}
func TestSecurityPoCParseSectionsShortDocSequencePanics(t *testing.T) {
parseSections([]byte{byte(sectionTypeDocumentSequence), 0x01, 0x02, 0x03})
}
EOF
go test ./pkg/ebpf/common -run 'TestSecurityPoCParseOpMessageShortPanics|TestSecurityPoCParseSectionsShortDocSequencePanics' -count=1Expected result:
TestSecurityPoCParseOpMessageShortPanicspanics with a message similar toslice bounds out of range [:20] with capacity 16TestSecurityPoCParseSectionsShortDocSequencePanicspanics with a message similar toslice bounds out of range [:5] with capacity 4
- Reproduce the
v0.1.0throughv0.8.0unchecked BSON type-assertion panic:
git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc
cd obi-poc
git checkout v0.8.0
cat > pkg/ebpf/common/mongo_security_poc_test.go <<'EOF'
package ebpfcommon
import (
"testing"
"go.mongodb.org/mongo-driver/v2/bson"
)
func TestSecurityPoCParseFirstFieldTypeAssertionPanics(t *testing.T) {
parseFirstField(bson.E{Key: commFind, Value: int32(123)})
}
EOF
go test ./pkg/ebpf/common -run TestSecurityPoCParseFirstFieldTypeAssertionPanics -count=1Expected result: panic with a message similar to interface conversion: interface {} is int32, not string.
Impact
This is a remote denial-of-service vulnerability in the MongoDB protocol parser. Any deployment that enables MongoDB parsing and processes attacker-controlled or malformed MongoDB traffic is impacted. Successful exploitation lets an unauthenticated attacker crash the telemetry agent by sending a crafted OP_MSG packet or malformed BSON document, causing loss of observability until the process is restarted.
AnalysisAI
Remote denial-of-service in OpenTelemetry eBPF Instrumentation (go.opentelemetry.io/obi) versions v0.1.0 through v0.8.0 allows unauthenticated attackers to crash the telemetry agent by sending malformed MongoDB wire protocol messages. The MongoDB TCP parser contains three uncaught panic conditions (two slice-bounds errors in parseOpMessage/parseSections, and an unchecked BSON type assertion in parseFirstField) that terminate telemetry collection for the affected process or node. Publicly available exploit code exists in the form of self-contained Go test reproductions published in the GHSA advisory.
Technical ContextAI
OpenTelemetry eBPF Instrumentation (OBI) is a Go-based telemetry agent that uses eBPF to inspect application traffic on a host and produce OpenTelemetry signals without code instrumentation. As part of protocol detection it parses raw MongoDB wire-protocol bytes (OP_MSG, document sequences, BSON commands) in pkg/ebpf/common/mongo_detect_transform.go. The flaws are classic CWE-20 (Improper Input Validation) issues: parseOpMessage and parseSections slice attacker-supplied buffers using offsets derived from length fields without first verifying that enough bytes remain, while parseFirstField performs an unchecked type assertion that field.Value is a string. Because Go panics on slice-out-of-bounds and bad type assertions, and the parser runs on raw network bytes before validation, the entire telemetry process terminates instead of returning a parse error. The CPE pkg:go/go.opentelemetry.io_obi identifies the affected Go module.
RemediationAI
Vendor-released patch: upgrade go.opentelemetry.io/obi to v0.9.0 or later, which fixes all three panic conditions (the slice-bounds issues were already fixed in v0.4.0 by commit 3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb, and v0.9.0 additionally addresses the parseFirstField type assertion). See the advisory at https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-j8p6-96vp-f3r9 for full details. If immediate upgrade is not possible, disable MongoDB protocol parsing in the OBI configuration so the vulnerable code paths in pkg/ebpf/common/mongo_detect_transform.go are not exercised (trade-off: loss of MongoDB telemetry visibility), or restrict the network paths the agent observes to trusted MongoDB clients only via firewall/segmentation (trade-off: incomplete coverage of non-trusted traffic and operational overhead). Monitoring agent process liveness and configuring automatic restart (systemd Restart=always or equivalent) reduces but does not eliminate the impact, since attackers can simply re-send the malformed packet.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 16.0 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33958
GHSA-j8p6-96vp-f3r9