Skip to content

Bump otlptracehttp to v1.43.0 to fix unbounded HTTP response body read#2727

Merged
AndreKurait merged 1 commit intoopensearch-project:mainfrom
AndreKurait:fix-otlp-http-unbounded-read
Apr 15, 2026
Merged

Bump otlptracehttp to v1.43.0 to fix unbounded HTTP response body read#2727
AndreKurait merged 1 commit intoopensearch-project:mainfrom
AndreKurait:fix-otlp-http-unbounded-read

Conversation

@AndreKurait
Copy link
Copy Markdown
Member

Summary

Fixes Dependabot alert opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies #386.

The OTLP HTTP trace exporter reads resp.Body via io.Copy into a bytes.Buffer without a size cap on both success and error paths. A malicious collector endpoint can exploit this for memory exhaustion (OOM). Fixed upstream in open-telemetry/opentelemetry-go#8108.

Changes

  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: 1.40.0 → 1.43.0 (security fix)
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace: 1.40.0 → 1.43.0 (transitive)
  • go.opentelemetry.io/otel/exporters/stdout/stdoutmetric: 1.40.0 → 1.43.0 (aligned)
  • Transitive dependency bumps: grpc-gateway, golang.org/x/net, golang.org/x/text, google.golang.org/grpc, etc.

Verification

  • go build ./... passes
  • go mod tidy clean

…y read (CVE)

Addresses Dependabot alert opensearch-project#386: OTLP HTTP exporters read unbounded HTTP
response bodies, enabling memory exhaustion via a malicious collector endpoint.

Bumps go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from
1.40.0 to 1.43.0 which includes the fix from open-telemetry/opentelemetry-go#8108.

Also aligns otlptrace and stdoutmetric exporters to v1.43.0 for consistency.

Signed-off-by: Andre Kurait <andrekurait@gmail.com>
@AndreKurait AndreKurait force-pushed the fix-otlp-http-unbounded-read branch from 26a11ca to 9d2b76a Compare April 15, 2026 15:56
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 15, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.50%. Comparing base (8ae21a1) to head (9d2b76a).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files
@@             Coverage Diff              @@
##               main    #2727      +/-   ##
============================================
- Coverage     73.51%   73.50%   -0.01%     
  Complexity      106      106              
============================================
  Files           722      722              
  Lines         33505    33505              
  Branches       2933     2930       -3     
============================================
- Hits          24630    24628       -2     
- Misses         7534     7536       +2     
  Partials       1341     1341              
Flag Coverage Δ
gradle 69.89% <ø> (ø)
node 91.20% <ø> (ø)
python 77.75% <ø> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@AndreKurait AndreKurait enabled auto-merge April 15, 2026 16:02
@AndreKurait AndreKurait merged commit 2e4be2e into opensearch-project:main Apr 15, 2026
72 checks passed
AndreKurait added a commit to AndreKurait/opensearch-migrations that referenced this pull request Apr 15, 2026
…http-unbounded-read

Bump otlptracehttp to v1.43.0 to fix unbounded HTTP response body read
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants