OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics

### Report

https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr

OpenTelemetry-Go Contrib has a [handler wrapper otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65) that adds the following labels by deafult that have unbound cardinality:

    http.user_agent
    http.method

This leads to the server's potential memory exhaustion when many malicious requests are sent to it.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics #5089

Report

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics #5089

Description

Report

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions