Pellared

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry Go (affected versions not specified) **Description** A denial-of-service issue exists due to the removal of raw-length rejection during baggage header parsing. The `Parse` function processes arbitrarily large or invalid baggage headers and logs errors, allowing a remote client to trigger excessive CPU and memory consumption. Specifically, in `baggage/baggage.go`, the `parseMember` function performs full parsing and `PathUnescape` on members without a size guard. Additionally, in `propagation/baggage.go`, parsing errors from attacker-controlled headers are sent to the global error handler, which by default performs logging, potentially amplifying the impact of oversized inputs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry-Go versions prior to 0.0.17 **Description** The `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` modules leak one file descriptor on each successful `ParseFile()` call. This occurs because `ParseFile()` opens the schema file and passes it to the `Parse()` function without closing it. In long-running processes, repeated parsing can exhaust the process file descriptor limit, leading to a denial of service. This issue is exploitable if a consuming application exposes repeated schema parsing to a path controlled by an attacker. **Recommendations** Update to version 0.0.17.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry-Go Contrib versions prior to 0.46.0 **Description** The issue is related to the grpc Unary Server Interceptor adding labels `net.peer.sock.addr` and `net.peer.sock.port` with unbound cardinality, leading to potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests, causing a denial-of-service. **Recommendations** For versions prior to 0.46.0, as a temporary workaround, consider using a view that removes the attributes `net.peer.sock.addr` and `net.peer.sock.port`. Alternatively, disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. For a permanent solution, upgrade to version 0.46.0 or later, which contains a fix for this issue.