Skip to content

Fix CVE-2026-39882: Update OTLP trace exporters to v1.43.0#461

Open
Copilot wants to merge 2 commits intomainfrom
copilot/fix-opentelemetry-http-exporters-vulnerability
Open

Fix CVE-2026-39882: Update OTLP trace exporters to v1.43.0#461
Copilot wants to merge 2 commits intomainfrom
copilot/fix-opentelemetry-http-exporters-vulnerability

Conversation

Copy link
Copy Markdown

Copilot AI commented Apr 9, 2026
edited
Loading

Tl;dr: Bump vulnerable OTLP trace exporter transitive deps in long-running-test-arch/xk6 to fix unbounded HTTP response body read (memory exhaustion) vulnerability.

Context:

GHSA-w8rr-5gcm-pp58 / CVE-2026-39882: otlptrace* HTTP exporters read resp.Body via io.Copy with no size cap, allowing an attacker-controlled or MitM'd collector to OOM the process. Fixed in upstream v1.43.0.

Updated in long-running-test-arch/xk6/go.mod:

  • go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.38.0 → v1.43.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.38.0 → v1.43.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.38.0 → v1.43.0

Reachability: Low active risk. k6_otel.go only uses otlpmetricgrpc (gRPC, not HTTP). The three patched packages are indirect deps pulled in via go.k6.io/k6 and are never directly invoked. Update is primarily to clear the vulnerability scanner.

Test Plan:

Dependency-only change with no logic modifications; verified go mod tidy resolves cleanly and advisory DB reports no vulnerabilities at v1.43.0.

Test services data

  1. e-1712644058766987264
  2. e-1712643928659124224
  3. e-1742334541200846848
  4. e-1777406072376840192
Original prompt

This section details the Dependabot vulnerability alert you should resolve

<alert_title>opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies</alert_title>
<alert_description>overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

  • exporters/otlp/otlptrace/otlptracehttp/client.go:199
  • exporters/otlp/otlptrace/otlptracehttp/client.go:230
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
  • exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
  • exporters/otlp/otlplog/otlploghttp/client.go:190
  • exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  • go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
  • go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: open-telemetry/opentelemetry-go#8108</alert_description>

moderate
GHSA-w8rr-5gcm-pp58, CVE-2026-39882
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
go
<vulnerable_versions>= v1.38.0</vulnerable_versions>
<patched_version>1.43.0</patched_version>
<manifest_path>long-running-test-arch/xk6/go.mod</manifest_path>

https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58 http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0 https://nvd.nist.gov/vuln/detail/CVE-2026-39882 https://github.com/open-telemetry/opentelemetry-go/pull/8108 https://github.com/advisories/GHSA-w8rr-5gcm-pp58

<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is a...

Copilot AI changed the title [WIP] Fix vulnerability in OpenTelemetry HTTP exporters Fix CVE-2026-39882: Update OTLP trace exporters to v1.43.0 Apr 9, 2026
Copilot AI requested a review from cleverchuk April 9, 2026 19:09
@cleverchuk cleverchuk marked this pull request as ready for review April 10, 2026 13:40
@cleverchuk cleverchuk requested review from a team as code owners April 10, 2026 13:41
Copilot AI review requested due to automatic review settings April 10, 2026 13:41
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Go module dependencies for the long-running-test-arch/xk6 (k6 OTEL output) component to remediate CVE-2026-39882 / GHSA-w8rr-5gcm-pp58 by bumping vulnerable OTLP trace exporter packages to the patched OpenTelemetry Go release.

Changes:

  • Bumped go.opentelemetry.io/otel/exporters/otlp/otlptrace* dependencies from v1.38.0 to v1.43.0 in go.mod (indirect).
  • Updated go.sum to reflect the new module versions and checksums.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
long-running-test-arch/xk6/go.mod Updates indirect OTLP trace exporter versions to v1.43.0 to clear the CVE.
long-running-test-arch/xk6/go.sum Refreshes checksums for the updated OTLP trace exporter modules.

cheempz
cheempz approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cheempz cheempz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if the failing release tests are not a concern.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cheempz cheempz cheempz approved these changes

+1 more reviewer

@cleverchuk cleverchuk cleverchuk approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@cleverchuk cleverchuk

Copilot code review Copilot

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cheempz @cleverchuk