Description
The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsync called HttpClient.SendAsync followed by ReadAsStringAsync(), which materializes the entire HTTP response body into a single in-memory string with no size limit. The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint (default: http://localhost:2000). An attacker who controls the configured endpoint, or who can intercept traffic to it (MitM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability is fixed in 0.1.0-alpha.8.
Published: 2026-04-23
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Patch
AI Analysis

Impact

A flaw in OpenTelemetry.Sampler.AWS allows an attacker that can control or intercept the configured AWS X‑Ray remote sampling endpoint to return an arbitrarily large HTTP response body. The sampler reads the entire response into memory with no size limit, causing unbounded heap allocation, high memory pressure, garbage‑collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability can be exploited locally or remotely if the attacker can influence the endpoint the application uses.

Affected Systems

The issue affects the OpenTelemetry .NET Contrib library, specifically the AWS X‑Ray Remote Sampler component in versions prior to 0.1.0‑alpha.8. Any process using this supplier and connecting to a remote sampling endpoint can be impacted.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity. The EPSS score of less than 1% shows that exploit probability is low at present and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector requires an attacker to control the endpoint or perform a man‑in‑the‑middle to supply a large response; this is feasible if the endpoint is not properly secured or restricted.

Generated by OpenCVE AI on April 28, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenTelemetry.Sampler.AWS to version 0.1.0‑alpha.8 or later, where the response body size is bounded or streaming.
  • Limit the configured remote sampling endpoint to a trusted host or IP address to prevent malicious responses.
  • If remote sampling is not required, disable the AWS X‑Ray remote sampler or remove the dependency altogether.

Generated by OpenCVE AI on April 28, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-28xm-prxc-5866 OpenTelemetry.Sampler.AWS & OpenTelemetry.Resources.AWS have unbounded HTTP response body reads
History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-dotnet-contrib
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-dotnet-contrib

Thu, 23 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsync called HttpClient.SendAsync followed by ReadAsStringAsync(), which materializes the entire HTTP response body into a single in-memory string with no size limit. The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint (default: http://localhost:2000). An attacker who controls the configured endpoint, or who can intercept traffic to it (MitM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability is fixed in 0.1.0-alpha.8.
Title Unbounded HTTP response body read in OpenTelemetry.Sampler.AWS
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Opentelemetry Opentelemetry-dotnet-contrib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T19:16:04.096Z

Reserved: 2026-04-17T16:34:45.525Z

Link: CVE-2026-41173

cve-icon Vulnrichment

Updated: 2026-04-23T19:15:20.291Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-23T19:17:29.083

Modified: 2026-04-24T14:50:56.203

Link: CVE-2026-41173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses