OpenTelemetry-Go's OTLP HTTP exporters read the entire HTTP response body into an in-memory buffer without a size limit. This results in uncontrolled memory consumption when the collector endpoint is controlled by an attacker or can be MITM, potentially exhausting system memory and causing a denial of service. An attacker can trigger the issue by directing the exporter to a malicious or spoofed endpoint that sends large body payloads, or by intercepting the network traffic to inject a similarly large response. The flaw exemplifies a CWE-789 vulnerability where unbounded data is accepted. The impact is a local denial of service on any system running the exporter, which could interrupt telemetry collection and affect system availability.

OpenTelemetry-Go, the Go implementation of OpenTelemetry, is affected in all versions prior to 1.43.0. Users running any of those versions with OTLP HTTP exporters for traces, metrics, or logs are vulnerable. The product is identified as open-telemetry:opentelemetry-go. No specific patch versions beyond 1.43.0 are listed in the advisory.

The CVSS score of 5.3 indicates a medium severity vulnerability. An EPSS score of less than 1% suggests a low probability of exploitation. It is not listed in the CISA KEV catalogue. Exploitation requires the ability to control or intercept the collector endpoint, which typically involves remote or network-level access. The vulnerability can lead to a local denial of service, which may be significant in systems requiring high availability.