Homanp

**Name of the Vulnerable Software and Affected Versions** opentelemetry-js versions prior to 0.217.0 **Description** A single malformed HTTP request can crash any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default '0.0.0.0:9464') lacks error handling during URL parsing. When a request with an invalid URI is received, the ` requestHandler` function calls the `URL` constructor, which throws an uncaught `TypeError`, resulting in a denial of service. This occurs because the HTTP parser accepts absolute-form URIs for proxy compatibility, and a value such as "http://" triggers the exception. The endpoint is unauthenticated by design and binds to '0.0.0.0' by default, making it reachable by any network client. **Recommendations** Update `@opentelemetry/exporter-prometheus` and `@opentelemetry/sdk-node` to version 0.217.0 or later. Update `@opentelemetry/auto-instrumentations-node` to version 0.75.0 or later. Restrict access to the metrics endpoint so it is not reachable by untrusted or unauthenticated network clients, such as binding the `host` option to '127.0.0.1'. Use a firewall or network policy to restrict access to port '9464' to only trusted Prometheus scrape hosts. Place the endpoint behind a reverse proxy to filter or validate incoming requests.