The vulnerability arises because OpenTelemetry eBPF Instrumentation (OBI) prior to version 0.9.0 exports the complete Redis error reply as the span status message. Since Redis error strings can include attacker‑controlled or sensitive values, this behavior results in the accidental leakage of tokens, personally identifiable information, or other confidential data into the telemetry backend and downstream analysis systems. The flaw represents a data exposure weakness (CWE‑117) and the logging of sensitive information (CWE‑532). An attacker cannot gain code execution or modify system configuration; the impact is limited to confidentiality breach through telemetry channels.

All deployments of OpenTelemetry eBPF Instrumentation on top of the OpenTelemetry platform that use a Redis-backed instrumentation backend and run a version earlier than 0.9.0 are affected. This includes any environment where the eBPF instrumentation agent is installed and connects to a Redis server to export span status messages.

Based on the description, the likely attack vector is triggering Redis error replies. The CVSS score is 6.5, indicating moderate severity. No EPSS score is reported, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker can trigger Redis error replies – typically by manipulating the Redis connection or providing malformed commands – and that the instrumented application is sending status messages to a telemetry backend. Once the error text is exported, the data is visible to any services consuming the telemetry stream, enabling passive exfiltration. Because the issue is driven by configuration and data flow rather than a flaw in the eBPF logic itself, detection may be difficult unless telemetry logs are audited.