Skip to main content

Opentelemetry Js

1 CVEs product

Monthly

CVE-2026-59892 HIGH PATCH This Week

Denial of service in OpenTelemetry JavaScript (@opentelemetry/propagator-jaeger) before 2.9.0 allows an unauthenticated remote attacker to crash a Node.js service by sending a malformed percent-encoded uber-trace-id or uberctx-* HTTP header. The JaegerPropagator passes header values to decodeURIComponent() without catching the resulting URIError, so the uncaught exception terminates the process. No public exploit identified at time of analysis, and this is not listed in CISA KEV; the fix is version 2.9.0.

Node.js Information Disclosure Opentelemetry Js
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in OpenTelemetry JavaScript (@opentelemetry/propagator-jaeger) before 2.9.0 allows an unauthenticated remote attacker to crash a Node.js service by sending a malformed percent-encoded uber-trace-id or uberctx-* HTTP header. The JaegerPropagator passes header values to decodeURIComponent() without catching the resulting URIError, so the uncaught exception terminates the process. No public exploit identified at time of analysis, and this is not listed in CISA KEV; the fix is version 2.9.0.

Node.js Information Disclosure Opentelemetry Js
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy