Name of the Vulnerable Software and Affected Versions @opentelemetry/instrumentation versions prior to 0.41.2

Description The issue allows for remote code execution when user-supplied input is passed directly to an import() function. This is due to the import-in-the-middle loader generating a wrapper module on the fly, which can be exploited.

Recommendations For versions prior to 0.41.2, update to version 0.41.2 to resolve the issue. As a temporary workaround, do not pass any user-supplied input to import(). Instead, verify it against a set of allowed values. If using @opentelemetry/instrumentation with support for EcmaScript Modules is not needed, ensure that none of the following options are set: --experimental-loader=@opentelemetry/instrumentation/hook.mjs --experimental-loader @opentelemetry/instrumentation/hook.mjs --loader=import-in-the-middle/hook.mjs --loader import-in-the-middle/hook.mjs