Opentelemetry Cpp
Monthly
Memory exhaustion in opentelemetry-cpp OTLP HTTP exporters (traces, metrics, logs) prior to 1.27.0 allows an attacker who controls the configured collector endpoint - or occupies a MITM position on the network path - to crash the instrumented process by returning an arbitrarily large HTTP response body. The curl-based HTTP client read response data into an unbounded in-memory buffer via io-equivalent copy with no size limit, making peak heap allocation entirely attacker-controlled. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) indicates low opportunistic exploitation probability, though the targeted threat model (supply-chain-adjacent collector compromise) is realistic in telemetry-heavy environments.
Memory exhaustion in opentelemetry-cpp OTLP HTTP exporters (traces, metrics, logs) prior to 1.27.0 allows an attacker who controls the configured collector endpoint - or occupies a MITM position on the network path - to crash the instrumented process by returning an arbitrarily large HTTP response body. The curl-based HTTP client read response data into an unbounded in-memory buffer via io-equivalent copy with no size limit, making peak heap allocation entirely attacker-controlled. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) indicates low opportunistic exploitation probability, though the targeted threat model (supply-chain-adjacent collector compromise) is realistic in telemetry-heavy environments.