Morielharush

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry-Go versions 1.20.0 through 1.39.0 **Description** The OpenTelemetry Go SDK versions 1.20.0 through 1.39.0 are susceptible to a path hijacking issue on macOS/Darwin systems. The resource detection code in `sdk/resource/host id.go` executes the `ioreg` system command using a search path. An attacker who can modify the `PATH` environment variable locally can potentially achieve Arbitrary Code Execution (ACE) within the application's context. **Recommendations** Update to version 1.40.0 or later.