fix(security/high): update module go.opentelemetry.io/otel to v1.41.0 [security]#263
Open
renovate-sh-app[bot] wants to merge 1 commit into
Open
Conversation
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate-sh-app
Bot
changed the title
renovate-sh-app
Bot
deleted the
renovate/go-go.opentelemetry.io-otel-vulnerability
branch
renovate-sh-app
Bot
changed the title
renovate-sh-app
Bot
force-pushed
the
renovate/go-go.opentelemetry.io-otel-vulnerability
branch
3 times, most recently
from
2b703c5 to
36ef19d
Compare
renovate-sh-app
Bot
changed the title
renovate-sh-app
Bot
changed the title
renovate-sh-app
Bot
force-pushed
the
renovate/go-go.opentelemetry.io-otel-vulnerability
branch
5 times, most recently
from
7f2dd51 to
bda0dae
Compare
renovate-sh-app
Bot
changed the title
… [security] | datasource | package | from | to | | ---------- | ------------------------ | ------- | ------- | | go | go.opentelemetry.io/otel | v1.40.0 | v1.41.0 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
renovate-sh-app
Bot
changed the title
renovate-sh-app
Bot
force-pushed
the
renovate/go-go.opentelemetry.io-otel-vulnerability
branch
2 times, most recently
from
bda0dae to
98e8212
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.40.0→v1.41.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
OpenTelemetry-Go: multi-value
baggageheader extraction causes excessive allocations (remote dos amplification)CVE-2026-29181 / GHSA-mh2q-q3fh-2475
More information
Details
multi-value
baggage:header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending manybaggage:header lines, even when each individual value is within the 8192-byte per-value parse limit.severity
HIGH (availability / remote request amplification)
relevant links
vulnerability details
pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)
callsite: propagation/baggage.go:58 (
extractMultiBaggage)attacker control: inbound HTTP request headers (many
baggagefield-values) →propagation.HeaderCarrier.Values("baggage")→ repeatedbaggage.Parse+ member aggregationroot cause
extractMultiBaggageiterates over allbaggageheader field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).impact
in a default
net/httpconfiguration (max header bytes 1mb), a single request with manybaggage:header field-values can cause large per-request allocations and increased latency.example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):
per_req_alloc_bytes=10315458andp95_ms=7per_req_alloc_bytes=133429andp95_ms=0proof of concept
canonical:
output (excerpt):
control:
cd poc make controlcontrol output (excerpt):
expected: multiple
baggageheader field-values should be semantically equivalent to a single comma-joinedbaggagevalue and should not multiply parsing/alloc work within the effective header byte budget.actual: multiple
baggageheader field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.fix recommendation
avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).
fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for
per_req_alloc_bytesandper_req_allocs, andp95_msstays below 2ms.poc.zip
PR_DESCRIPTION.md
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
OpenTelemetry-Go: multi-value
baggageheader extraction causes excessive allocations (remote dos amplification)CVE-2026-29181 / GHSA-mh2q-q3fh-2475
More information
Details
multi-value
baggage:header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending manybaggage:header lines, even when each individual value is within the 8192-byte per-value parse limit.severity
HIGH (availability / remote request amplification)
relevant links
vulnerability details
pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)
callsite: propagation/baggage.go:58 (
extractMultiBaggage)attacker control: inbound HTTP request headers (many
baggagefield-values) →propagation.HeaderCarrier.Values("baggage")→ repeatedbaggage.Parse+ member aggregationroot cause
extractMultiBaggageiterates over allbaggageheader field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).impact
in a default
net/httpconfiguration (max header bytes 1mb), a single request with manybaggage:header field-values can cause large per-request allocations and increased latency.example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):
per_req_alloc_bytes=10315458andp95_ms=7per_req_alloc_bytes=133429andp95_ms=0proof of concept
canonical:
output (excerpt):
control:
cd poc make controlcontrol output (excerpt):
expected: multiple
baggageheader field-values should be semantically equivalent to a single comma-joinedbaggagevalue and should not multiply parsing/alloc work within the effective header byte budget.actual: multiple
baggageheader field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.fix recommendation
avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).
fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for
per_req_alloc_bytesandper_req_allocs, andp95_msstays below 2ms.poc.zip
PR_DESCRIPTION.md
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)
v1.41.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Need help?
You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.