A vulnerability in OpenTelemetry Java's baggage propagation implementation allows unbounded memory allocation and CPU consumption when parsing oversized baggage headers. The issue affects opentelemetry-api and opentelemetry-extension-trace-propagators prior to version 1.62.0. Because baggage is automatically re-injected into every outgoing request, the amplification effect can propagate to downstream serv [truncated]
A vulnerability in the OpenTelemetry JavaScript Prometheus exporter allows remote attackers to crash Node.js processes via malformed HTTP requests. The metrics endpoint (default 0.0.0.0:9464) lacks error handling for URL parsing, causing an uncaught TypeError that terminates the process. This affects versions prior to 0.217.0. The vulnerability was published on 2026-05-27 and carries a HIGH severity CVSS [truncated]