CVE-2026-41173

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Sampler.AWS versions prior to 0.1.0-alpha.8 OpenTelemetry.Resources.AWS versions prior to 1.15.1

Description OpenTelemetry.Sampler.AWS and OpenTelemetry.Resources.AWS read unbounded HTTP response bodies from configured endpoints into memory. In OpenTelemetry.Sampler.AWS, the AWSXRaySamplerClient.DoRequestAsync function calls HttpClient.SendAsync followed by ReadAsStringAsync(), which materializes the entire response body into a single in-memory string without a size limit. The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint (default: 'http://localhost:2000'). In OpenTelemetry.Resources.AWS, the AWSEC2Detector(), AWSECSDetector(), and AWSEKSDetector() functions make HTTP requests to AWS metadata services ('http://169.254.169.254', ECS CONTAINER METADATA URI/ECS CONTAINER METADATA URI V4, or 'https://kubernetes.default.svc'). An attacker who controls these endpoints or performs a Man-in-the-Middle (MitM) attack can return an arbitrarily large response body, causing unbounded heap allocation. This leads to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process, resulting in a Denial of Service (DoS).

Recommendations Update OpenTelemetry.Sampler.AWS to version 0.1.0-alpha.8. Update OpenTelemetry.Resources.AWS to version 1.15.1. Ensure the X-Ray sampling endpoint is not accessible to untrusted parties. Use network-level controls such as firewall rules, mTLS, or service mesh to prevent Man-in-the-Middle (MitM) attacks on the sampling endpoint and EC2/ECS/EKS connections. Place remote endpoints behind a reverse proxy that enforces a response body size limit.