—
GO-2026-4985
Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp
Details
The OTLP HTTP exporters (traces, metrics, and logs) do not limit the size of the HTTP response body read from the collector. A malicious or misconfigured collector can send a large response body, leading to excessive memory consumption and potential process termination (OOM).
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
Introduced in:
0 Fixed in: 0.19.0 Fix
go get go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp@v0.19.0 Go / go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
Introduced in:
0 Fixed in: 1.43.0 Fix
go get go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v1.43.0 Go / go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
Introduced in:
0 Fixed in: 1.43.0 Fix
go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v1.43.0