CVE-2026-44902

Name of the Vulnerable Software and Affected Versions opentelemetry-js versions prior to 0.217.0

Description A single malformed HTTP request can crash any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default '0.0.0.0:9464') lacks error handling during URL parsing. When a request with an invalid URI is received, the requestHandler function calls the URL constructor, which throws an uncaught TypeError, resulting in a denial of service. This occurs because the HTTP parser accepts absolute-form URIs for proxy compatibility, and a value such as "http://" triggers the exception. The endpoint is unauthenticated by design and binds to '0.0.0.0' by default, making it reachable by any network client.

Recommendations Update @opentelemetry/exporter-prometheus and @opentelemetry/sdk-node to version 0.217.0 or later. Update @opentelemetry/auto-instrumentations-node to version 0.75.0 or later. Restrict access to the metrics endpoint so it is not reachable by untrusted or unauthenticated network clients, such as binding the host option to '127.0.0.1'. Use a firewall or network policy to restrict access to port '9464' to only trusted Prometheus scrape hosts. Place the endpoint behind a reverse proxy to filter or validate incoming requests.