CVE-2023-25151

Name of the Vulnerable Software and Affected Versions opentelemetry-go-contrib versions 0.38.0 through 0.38.0

Description The issue concerns a denial-of-service attack due to memory allocation increase when handling requests with constantly random query strings. The httpconv.ServerRequest function sets the http.target attribute value to the whole request URI, including the query string. When cumulative temporality is used, the metric instruments do not forget previous measurement attributes, resulting in a direct correlation between the cardinality of measurements allocated and unique URIs handled. This can lead to a constant increase in memory allocation, potentially causing a denial-of-service attack.

Recommendations For opentelemetry-go-contrib version 0.38.0, upgrade to version 0.39.0 to address the issue. There are no known workarounds for this issue.