From f8aa048154cee08a89f35ae2128e4f1fa4d90e76 Mon Sep 17 00:00:00 2001
From: dmathieu <42@dmathieu.com>
Date: Mon, 9 Mar 2026 11:08:59 +0100
Subject: [PATCH 1/2] limit the number of bytes read from the zpages body

---
 zpages/tracez.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/zpages/tracez.go b/zpages/tracez.go
index b0ca486d31a..4f210e53251 100644
--- a/zpages/tracez.go
+++ b/zpages/tracez.go
@@ -41,6 +41,8 @@ const (
 	spanLatencyBucketQueryField = "zlatencybucket"
 	// maxTraceMessageLength is the maximum length of a message in tracez output.
 	maxTraceMessageLength = 1024
+
+	maxRequestBodySize = 1 << 20 // 1MB
 )
 
 type summaryTableData struct {
@@ -79,6 +81,8 @@ func NewTracezHandler(sp *SpanProcessor) http.Handler {
 // ServeHTTP implements the http.Handler and is capable of serving "tracez" HTTP requests.
 func (th *tracezHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestBodySize)
 	if err := r.ParseForm(); err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		return

From c9ef2c7963e34cf8285f53673cd84a77d9608725 Mon Sep 17 00:00:00 2001
From: dmathieu <42@dmathieu.com>
Date: Mon, 9 Mar 2026 11:11:16 +0100
Subject: [PATCH 2/2] add changelog entry

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 335ce37d55f..97f86fea6eb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,10 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## [Unreleased]
 
+### Fixed
+
+- Limit the request body size at 1MB in `go.opentelemetry.io/contrib/zpages`. (#8656)
+
 <!-- Released section -->
 <!-- Don't change this section unless doing release -->