chore(deps): update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.43.0 [security] (main) by renovate-sh-app[bot] · Pull Request #14967 · grafana/mimir

renovate-sh-app · 2026-04-08T20:10:01Z

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	`v1.42.0` → `v1.43.0`

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2026-39882

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

exporters/otlp/otlptrace/otlptracehttp/client.go:199
exporters/otlp/otlptrace/otlptracehttp/client.go:230
exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
exporters/otlp/otlplog/otlploghttp/client.go:190
exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

CVE-2026-39882 / GHSA-w8rr-5gcm-pp58

More information

Details

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

exporters/otlp/otlptrace/otlptracehttp/client.go:199
exporters/otlp/otlptrace/otlptracehttp/client.go:230
exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
exporters/otlp/otlplog/otlploghttp/client.go:190
exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp)

`v1.43.0`: /v0.65.0/v0.19.0

Compare Source

Added

Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace
for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)
Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)
Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)
Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric.
Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)
Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)
Refactor slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)
Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)
Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to
make the implementation spec-compliant. (#8027)
Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)
Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
Responses exceeding the limit are treated as non-retryable errors. (#8108)
Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
Responses exceeding the limit are treated as non-retryable errors. (#8108)
Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
Responses exceeding the limit are treated as non-retryable errors. (#8108)
WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)
Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

What's Changed

chore(deps): update module github.com/jgautheron/goconst to v1.9.0 by @renovate[bot] in #8014
fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 190d7d4 by @renovate[bot] in #8013
chore(deps): update module go.yaml.in/yaml/v2 to v2.4.4 by @renovate[bot] in #8016
fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.1 by @renovate[bot] in #8011
fix(deps): update golang.org/x by @renovate[bot] in #8023
fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.2 by @renovate[bot] in #8020
chore(deps): update module github.com/mattn/go-runewidth to v0.0.21 by @renovate[bot] in #8017
chore(deps): update module codeberg.org/chavacava/garif to v0.2.1 by @renovate[bot] in #8019
Add doc on how to upgrade to new semconv by @jmmcorreia in #7807
fix(deps): update module go.opentelemetry.io/proto/otlp to v1.10.0 by @renovate[bot] in #8028
resource: add WithService detector option by @codeboten in #7642
fix(deps): update googleapis to a57be14 by @renovate[bot] in #8031
fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.3 by @renovate[bot] in #8032
chore(deps): update module github.com/prometheus/procfs to v0.20.1 by @renovate[bot] in #8034
chore(deps): update github.com/securego/gosec/v2 digest to 8895462 by @renovate[bot] in #8036
chore(deps): update module github.com/sonatard/noctx to v0.5.1 by @renovate[bot] in #8040
chore(deps): update github.com/securego/gosec/v2 digest to 6e66a94 by @renovate[bot] in #8043
docs(otlp): document HTTP/protobuf insecure env vars by @marcschaeferger in #8037
Rebuild semconvkit and verifyreadmes on changes by @MrAlias in #7995
chore(sdk/trace): join errors properly by @ash2k in #8030
fix(deps): update googleapis to 84a4fc4 by @renovate[bot] in #8048
attribute: change INVALID Type to EMPTY and mark INVALID as deprecated by @pellared in #8038
fix(sdk/trace): return spec-compliant TraceIdRatioBased description by @ash2k in #8027
linting: add depguard rule to enforce semconv version by @ajuijas in #8041
chore(deps): update actions/download-artifact action to v8.0.1 by @renovate[bot] in #8046
chore(deps): update github.com/securego/gosec/v2 digest to b7b2c7b by @renovate[bot] in #8044
fix(deps): update golang.org/x by @renovate[bot] in #8045
Optimize attribute slice conversion by @MrAlias in #8039
Add benchmarks for end-to-end metrics SDK usage by @dashpole in #7768
fix(deps): update golang.org/x by @renovate[bot] in #8052
chore(deps): update github.com/securego/gosec/v2 digest to befce8d by @renovate[bot] in #8053
trace: add Random Trace ID Flag by @yuanyuanzhao3 in #8012
Improve aggregation concurrent safe tests by @dashpole in #8021
Add tests for exponential histogram concurrent-safety edge-cases by @dashpole in #8024
exphist: replace min, max, sum, and count with atomics by @dashpole in #8025
chore(deps): update github.com/securego/gosec/v2 digest to c2dfcec by @renovate[bot] in #8055
chore(deps): update otel/weaver docker tag to v0.22.0 by @renovate[bot] in #8058
chore(deps): update github.com/securego/gosec/v2 digest to dec52c4 by @renovate[bot] in #8063
chore(deps): update otel/weaver docker tag to v0.22.1 by @renovate[bot] in #8061
chore(deps): update github/codeql-action action to v4.33.0 by @renovate[bot] in #8065
Fix race in the lastvalue aggregation where 0 could be observed by @dashpole in #8056
chore(deps): update github.com/securego/gosec/v2 digest to 744bfb5 by @renovate[bot] in #8064
Migrate to new bare metal runner (Ubuntu 24) by @trask in #8068
sdk/resource: add WithContext variants for Default and Environment (#7808) by @ajuijas in #8051
Use atomics for exponential histogram buckets by @dashpole in #8057
Added the internal/observ package to stdoutlog by @yumosx in #7735
Add support for the development per-series starttime feature by @dashpole in #8060
sdk/trace/internal/observ: guard SpanStarted and spanLive with Enabled by @kouji-yoshimura in #8067
Cleanup exemplar featuregate readme by @dashpole in #8072
chore(deps): update codecov/codecov-action action to v5.5.3 by @renovate[bot] in #8080
chore(deps): update module github.com/ryanrolds/sqlclosecheck to v0.6.0 by @renovate[bot] in #8083
fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to de6f1cc by @renovate[bot] in #8082
chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.54.0 by @renovate[bot] in #8085
chore(deps): update module github.com/securego/gosec/v2 to v2.25.0 by @renovate[bot] in #8084
chore(deps): update module github.com/protonmail/go-crypto to v1.4.1 by @renovate[bot] in #8081
fix(deps): update module go.opentelemetry.io/collector/pdata to v1.54.0 by @renovate[bot] in #8086
chore(deps): update actions/cache action to v5.0.4 by @renovate[bot] in #8079
chore(deps): update module github.com/fatih/color to v1.19.0 by @renovate[bot] in #8087
fix(deps): update googleapis to d00831a by @renovate[bot] in #8078
chore(deps): update golang.org/x/telemetry digest to b6b0c46 by @renovate[bot] in #8076
fix(deps): update module google.golang.org/grpc to v1.79.3 [security] by @renovate[bot] in #8075
sdk/metric: Support specifying cardinality limits per instrument kinds by @petern48 in #7855
chore(deps): update github/codeql-action action to v4.34.0 by @renovate[bot] in #8088
chore(deps): update codspeedhq/action action to v4.12.1 by @renovate[bot] in #8089
chore(deps): update github/codeql-action action to v4.34.1 by @renovate[bot] in #8090
fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.4 by @renovate[bot] in #8092
chore: fix noctx issues by @mmorel-35 in #8008
chore(deps): update module github.com/pelletier/go-toml/v2 to v2.3.0 by @renovate[bot] in #8095
chore(deps): update codecov/codecov-action action to v5.5.4 by @renovate[bot] in #8097
chore(deps): update codecov/codecov-action action to v6 by @renovate[bot] in #8098
chore(deps): update module github.com/tetafro/godot to v1.5.6 by @renovate[bot] in #8099
chore(deps): update module github.com/butuzov/ireturn to v0.4.1 by @renovate[bot] in #8100
chore(deps): update github/codeql-action action to v4.35.0 by @renovate[bot] in #8101
chore(deps): update actions/setup-go action to v6.4.0 by @renovate[bot] in #8107
chore(deps): update module github.com/go-git/go-git/v5 to v5.17.1 by @renovate[bot] in #8106
chore(deps): update module github.com/lucasb-eyer/go-colorful to v1.4.0 by @renovate[bot] in #8103
chore(deps): update github/codeql-action action to v4.35.1 by @renovate[bot] in #8102
chore(deps): update module github.com/hashicorp/go-version to v1.9.0 by @renovate[bot] in #8109
metricdatatest: Improve printing of diffs by @dashpole in #8073
fix(deps): update googleapis to d5a96ad by @renovate[bot] in #8112
chore(deps): update codspeedhq/action action to v4.13.0 by @renovate[bot] in #8114
fix(deps): update module go.opentelemetry.io/collector/pdata to v1.55.0 by @renovate[bot] in #8119
chore(deps): update fossas/fossa-action action to v1.9.0 by @renovate[bot] in #8118
chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 by @renovate[bot] in #8115
fix(deps): update googleapis to 9d38bb4 by @renovate[bot] in #8117
fix: support getBody in otelploghttp by @Tpuljak in #8096
fix(deps): update module google.golang.org/grpc to v1.80.0 by @renovate[bot] in #8121
Use an absolute path when calling bsd kenv by @dmathieu in #8113
limit response body size for OTLP HTTP exporters by @pellared in #8108
chore(deps): update github.com/golangci/dupl digest to c99c5cf by @renovate[bot] in #8122
chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 by @renovate[bot] in #8131
Release v1.43.0 / v0.65.0 / v0.19.0 by @dmathieu in #8128

New Contributors

@jmmcorreia made their first contribution in #7807
@marcschaeferger made their first contribution in #8037
@ajuijas made their first contribution in #8041
@yuanyuanzhao3 made their first contribution in #8012
@kouji-yoshimura made their first contribution in #8067
@Tpuljak made their first contribution in #8096

Full Changelog: open-telemetry/opentelemetry-go@v1.42.0...v1.43.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

Note

Medium Risk
Mostly a vendored dependency upgrade, but it changes runtime telemetry behavior (OTLP HTTP response handling, attribute semantics, metric aggregation options) which could impact observability or resource usage in production.

Overview
Updates vendored OpenTelemetry Go to v1.43.0 (plus related deps like google.golang.org/grpc v1.80.0, updated genproto, and gonum), refreshing go.mod/go.sum and vendor code.

The key functional fix is in the OTLP HTTP trace exporter (otlptracehttp): caps HTTP response bodies to 4MiB when reading success/error responses (mitigating memory-exhaustion CVE), and switches request creation to http.NewRequestWithContext.

This update also brings upstream SDK/API changes: attributes treat empty values as valid (EMPTY with INVALID deprecated), adds per-kind metric cardinality limit selection (WithCardinalityLimitSelector), introduces an experimental per-series start timestamp feature flag for cumulative metrics, and includes minor resource/trace updates (e.g., WithService, DefaultWithContext, TraceFlags random-bit helpers).

^{Reviewed by Cursor Bugbot for commit eb15027. Bugbot is set up for automated code reviews on this repo. Configure here.}

renovate-sh-app · 2026-04-08T20:10:05Z

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

10 additional dependencies were updated

Details:

Package	Change
`google.golang.org/grpc`	`v1.79.3` -> `v1.80.0`
`go.opentelemetry.io/otel`	`v1.42.0` -> `v1.43.0`
`go.opentelemetry.io/otel/sdk`	`v1.42.0` -> `v1.43.0`
`go.opentelemetry.io/otel/trace`	`v1.42.0` -> `v1.43.0`
`github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp`	`v1.30.0` -> `v1.31.0`
`go.opentelemetry.io/otel/exporters/otlp/otlptrace`	`v1.42.0` -> `v1.43.0`
`go.opentelemetry.io/otel/sdk/metric`	`v1.42.0` -> `v1.43.0`
`go.opentelemetry.io/otel/metric`	`v1.42.0` -> `v1.43.0`
`google.golang.org/genproto/googleapis/api`	`v0.0.0-20260226221140-a57be14db171` -> `v0.0.0-20260401024825-9d38bb4040a9`
`google.golang.org/genproto/googleapis/rpc`	`v0.0.0-20260226221140-a57be14db171` -> `v0.0.0-20260401024825-9d38bb4040a9`

…lptrace/otlptracehttp to v1.43.0 [security] | datasource | package | from | to | | ---------- | --------------------------------------------------------------- | ------- | ------- | | go | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp | v1.42.0 | v1.43.0 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>

cursor

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

✅ Fixed: CVE fix incomplete for other affected HTTP exporters
- Updated otlpmetrichttp to v1.43.0 and otlploghttp to v0.19.0 in go.mod (with matching go.sum entries) so all affected OTLP HTTP exporters are on patched versions.

Or push these changes by commenting:

@cursor push e8956ec775

Preview (e8956ec775)

diff --git a/go.mod b/go.mod
--- a/go.mod
+++ b/go.mod
@@ -214,9 +214,9 @@
 	go.opentelemetry.io/contrib/samplers/jaegerremote v0.36.0 // indirect
 	go.opentelemetry.io/otel/exporters/jaeger v1.17.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.18.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.18.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.19.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect

diff --git a/go.sum b/go.sum
--- a/go.sum
+++ b/go.sum
@@ -1178,10 +1178,14 @@
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.18.0/go.mod h1:PFx9NgpNUKXdf7J4Q3agRxMs3Y07QhTCVipKmLsMKnU=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.18.0 h1:icqq3Z34UrEFk2u+HMhTtRsvo7Ues+eiJVjaJt62njs=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.18.0/go.mod h1:W2m8P+d5Wn5kipj4/xmbt9uMqezEKfBjzVJadfABSBE=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.19.0 h1:HIBTQ3VO5aupLKjC90JgMqpezVXwFuq6Ryjn0/izoag=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.19.0/go.mod h1:ji9vId85hMxqfvICA0Jt8JqEdrXaAkcpkI9HPXya0ro=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0 h1:MdKucPl/HbzckWWEisiNqMPhRrAOQX8r4jTuGr636gk=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0/go.mod h1:RolT8tWtfHcjajEH5wFIZ4Dgh5jpPdFXYV9pTAk/qjc=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0 h1:H7O6RlGOMTizyl3R08Kn5pdM06bnH8oscSj7o11tmLA=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0/go.mod h1:mBFWu/WOVDkWWsR7Tx7h6EpQB8wsv7P0Yrh0Pb7othc=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0 h1:w1K+pCJoPpQifuVpsKamUdn9U0zM3xUziVOqsGksUrY=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0/go.mod h1:HBy4BjzgVE8139ieRI75oXm3EcDN+6GhD88JT1Kjvxg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 h1:zWWrB1U6nqhS/k6zYB74CjRpuiitRtLLi68VcgmOEto=

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit eb15027. Configure here.}

cursor · 2026-04-08T23:10:41Z

go.mod

 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect


CVE fix incomplete for other affected HTTP exporters

Medium Severity

The PR description explicitly identifies CVE-2026-39882 as affecting three HTTP exporters: otlptracehttp, otlpmetrichttp, and otlploghttp. However, only otlptracehttp is bumped to the fixed v1.43.0. The otlpmetrichttp remains at vulnerable v1.42.0 and otlploghttp remains at vulnerable v0.18.0. Both still contain the unbounded io.Copy of HTTP response bodies that enables memory exhaustion. If these indirect dependencies are reachable through autoexport or other transitive paths, the vulnerability persists for metric and log export.

Additional Locations (1)

go.mod#L216-L217

^{Reviewed by Cursor Bugbot for commit eb15027. Configure here.}

renovate-sh-app bot requested review from a team and stevesg as code owners April 8, 2026 20:10

renovate-sh-app bot added security-update update-minor labels Apr 8, 2026

renovate-sh-app bot force-pushed the deps-update/main-go-go.opentelemetry.io-otel-exporters-otlp-otlptrace-otlptracehttp-vulnerability branch from 90a1e9d to eb15027 Compare April 8, 2026 23:07

cursor bot reviewed Apr 8, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.43.0 [security] (main)#14967

chore(deps): update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.43.0 [security] (main)#14967
renovate-sh-app[bot] wants to merge 1 commit intomainfrom
deps-update/main-go-go.opentelemetry.io-otel-exporters-otlp-otlptrace-otlptracehttp-vulnerability

renovate-sh-app bot commented Apr 8, 2026 •

edited by cursor bot

Loading

Uh oh!

renovate-sh-app bot commented Apr 8, 2026

Uh oh!

cursor bot left a comment •

edited

Loading

Uh oh!

cursor bot Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate-sh-app bot commented Apr 8, 2026 • edited by cursor bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2026-39882

opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

Details

Severity

References

Release Notes

v1.43.0: /v0.65.0/v0.19.0

Added

Changed

Deprecated

Fixed

What's Changed

New Contributors

Configuration

Need help?

Uh oh!

renovate-sh-app bot commented Apr 8, 2026

ℹ️ Artifact update notice

File name: go.mod

Uh oh!

cursor bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

cursor bot Apr 8, 2026

Choose a reason for hiding this comment

CVE fix incomplete for other affected HTTP exporters

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate-sh-app bot commented Apr 8, 2026 •

edited by cursor bot

Loading

`v1.43.0`: /v0.65.0/v0.19.0

cursor bot left a comment •

edited

Loading