PatchSiren cyber security CVE debrief
CVE-2026-44902 OpenTelemetry CVE debrief
A vulnerability in the OpenTelemetry JavaScript Prometheus exporter allows remote attackers to crash Node.js processes via malformed HTTP requests. The metrics endpoint (default 0.0.0.0:9464) lacks error handling for URL parsing, causing an uncaught TypeError that terminates the process. This affects versions prior to 0.217.0. The vulnerability was published on 2026-05-27 and carries a HIGH severity CVSS score of 7.5. No known exploitation in ransomware campaigns has been reported.
- Vendor
- OpenTelemetry
- Product
- opentelemetry-js
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running OpenTelemetry JavaScript instrumentation with the Prometheus exporter enabled, particularly those exposing metrics endpoints to network-accessible interfaces. DevOps teams, SREs, and platform engineers responsible for observability infrastructure should prioritize patching to prevent service disruption.
Technical summary
The OpenTelemetry JavaScript Prometheus exporter prior to version 0.217.0 contains a denial-of-service vulnerability. The metrics endpoint, which binds to 0.0.0.0:9464 by default, processes incoming HTTP requests without proper exception handling around URL parsing operations. When a malformed URI is received, the resulting TypeError is not caught, propagating as an uncaught exception that terminates the entire Node.js process. This represents a straightforward remote denial-of-service condition requiring no authentication. The vulnerability is classified under CWE-755 (Improper Handling of Exceptional Conditions). Remediation requires updating to version 0.217.0 where proper error handling has been implemented.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade opentelemetry-js to version 0.217.0 or later to remediate the vulnerability
- Implement network-level access controls to restrict access to the Prometheus metrics endpoint (default port 9464) to authorized monitoring infrastructure only
- Monitor application logs for unexpected process crashes or restarts that may indicate exploitation attempts
- Consider implementing a reverse proxy with request validation in front of the metrics endpoint as a defense-in-depth measure
- Review and test error handling in custom OpenTelemetry exporter configurations
Evidence notes
CVE description confirms the vulnerability mechanism: unhandled URL parsing errors in the Prometheus exporter metrics endpoint. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H supports network-based, low-complexity denial of service. GitHub Security Advisory GHSA-q7rr-3cgh-j5r3 is cited as the primary reference. CWE-755 (Improper Handling of Exceptional Conditions) is the assigned weakness. Fix version 0.217.0 is explicitly stated.
Official resources
-
CVE-2026-44902 CVE record
CVE.org
-
CVE-2026-44902 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27