{"id":"CVE-2023-25151","summary":"DoS vulnerability for high cardinality metrics in opentelemetry-go-contrib","details":"opentelemetry-go-contrib is a collection of extensions for OpenTelemetry-Go. The v0.38.0 release of `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` uses the `httpconv.ServerRequest` function to annotate metric measurements for the `http.server.request_content_length`, `http.server.response_content_length`, and `http.server.duration` instruments. The `ServerRequest` function sets the `http.target` attribute value to be the whole request URI (including the query string)[^1]. The metric instruments do not \"forget\" previous measurement attributes when `cumulative` temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack. This issue has been addressed in version 0.39.0. Users are advised to upgrade. There are no known workarounds for this issue.","aliases":["GHSA-5r5m-65gx-7vrh","GO-2023-1546"],"modified":"2026-03-20T12:25:47.215914Z","published":"2023-02-08T19:21:37.401Z","related":["GO-2022-0322","GO-2023-2113"],"database_specific":{"cwe_ids":["CWE-400"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25151.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25151.json"},{"type":"ADVISORY","url":"https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25151"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/open-telemetry/opentelemetry-go-contrib","events":[{"introduced":"538baec1f9c565a3c6557eda86474406ab5d69d0"},{"fixed":"0a2a048d07139eef24f25e6d8646f92a8c2f059f"}]}],"versions":["detectors/aws/ec2/v1.13.0","detectors/aws/ecs/v1.13.0","detectors/aws/eks/v1.13.0","detectors/aws/lambda/v0.38.0","detectors/gcp/v1.13.0","instrumentation/github.com/Shopify/sarama/otelsarama/example/v0.38.0","instrumentation/github.com/Shopify/sarama/otelsarama/test/v0.38.0","instrumentation/github.com/Shopify/sarama/otelsarama/v0.38.0","instrumentation/github.com/astaxie/beego/otelbeego/example/v0.38.0","instrumentation/github.com/astaxie/beego/otelbeego/test/v0.38.0","instrumentation/github.com/astaxie/beego/otelbeego/v0.38.0","instrumentation/github.com/aws/aws-lambda-go/otellambda/example/v0.38.0","instrumentation/github.com/aws/aws-lambda-go/otellambda/test/v0.38.0","instrumentation/github.com/aws/aws-lambda-go/otellambda/v0.38.0","instrumentation/github.com/aws/aws-lambda-go/otellambda/xrayconfig/v0.38.0","instrumentation/github.com/aws/aws-sdk-go-v2/otelaws/example/v0.38.0","instrumentation/github.com/aws/aws-sdk-go-v2/otelaws/test/v0.38.0","instrumentation/github.com/aws/aws-sdk-go-v2/otelaws/v0.38.0","instrumentation/github.com/bradfitz/gomemcache/memcache/otelmemcache/example/v0.38.0","instrumentation/github.com/bradfitz/gomemcache/memcache/otelmemcache/test/v0.38.0","instrumentation/github.com/bradfitz/gomemcache/memcache/otelmemcache/v0.38.0","instrumentation/github.com/emicklei/go-restful/otelrestful/example/v0.38.0","instrumentation/github.com/emicklei/go-restful/otelrestful/test/v0.38.0","instrumentation/github.com/emicklei/go-restful/otelrestful/v0.38.0","instrumentation/github.com/gin-gonic/gin/otelgin/example/v0.38.0","instrumentation/github.com/gin-gonic/gin/otelgin/test/v0.38.0","instrumentation/github.com/gin-gonic/gin/otelgin/v0.38.0","instrumentation/github.com/go-kit/kit/otelkit/example/v0.38.0","instrumentation/github.com/go-kit/kit/otelkit/test/v0.38.0","instrumentation/github.com/go-kit/kit/otelkit/v0.38.0","instrumentation/github.com/gocql/gocql/otelgocql/example/v0.38.0","instrumentation/github.com/gocql/gocql/otelgocql/test/v0.38.0","instrumentation/github.com/gocql/gocql/otelgocql/v0.38.0","instrumentation/github.com/gorilla/mux/otelmux/example/v0.38.0","instrumentation/github.com/gorilla/mux/otelmux/test/v0.38.0","instrumentation/github.com/gorilla/mux/otelmux/v0.38.0","instrumentation/github.com/labstack/echo/otelecho/example/v0.38.0","instrumentation/github.com/labstack/echo/otelecho/test/v0.38.0","instrumentation/github.com/labstack/echo/otelecho/v0.38.0","instrumentation/go.mongodb.org/mongo-driver/mongo/otelmongo/test/v0.38.0","instrumentation/go.mongodb.org/mongo-driver/mongo/otelmongo/v0.38.0","instrumentation/google.golang.org/grpc/otelgrpc/example/v0.38.0","instrumentation/google.golang.org/grpc/otelgrpc/test/v0.38.0","instrumentation/google.golang.org/grpc/otelgrpc/v0.38.0","instrumentation/gopkg.in/macaron.v1/otelmacaron/example/v0.38.0","instrumentation/gopkg.in/macaron.v1/otelmacaron/test/v0.38.0","instrumentation/gopkg.in/macaron.v1/otelmacaron/v0.38.0","instrumentation/host/example/v0.38.0","instrumentation/host/v0.38.0","instrumentation/net/http/httptrace/otelhttptrace/example/v0.38.0","instrumentation/net/http/httptrace/otelhttptrace/test/v0.38.0","instrumentation/net/http/httptrace/otelhttptrace/v0.38.0","instrumentation/net/http/otelhttp/example/v0.38.0","instrumentation/net/http/otelhttp/test/v0.38.0","instrumentation/net/http/otelhttp/v0.38.0","instrumentation/runtime/example/v0.38.0","instrumentation/runtime/v0.38.0","propagators/autoprop/v0.38.0","propagators/aws/v1.13.0","propagators/b3/v1.13.0","propagators/jaeger/v1.13.0","propagators/opencensus/examples/v0.38.0","propagators/opencensus/v0.38.0","propagators/ot/v1.13.0","samplers/aws/xray/v0.7.0","samplers/jaegerremote/example/v0.7.0","samplers/jaegerremote/v0.7.0","samplers/probability/consistent/v0.7.0","tools/v1.13.0","v1.13.0","zpages/v0.38.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-25151.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}