{"id":"GO-2024-2900","summary":"Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC in go.opentelemetry.io/collector/config/configgrpc","details":"An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption.","aliases":["BIT-opentelemetry-collector-2024-36129","CVE-2024-36129","GHSA-c74f-6mfw-mm4v"],"modified":"2026-03-17T04:53:19.648918Z","published":"2024-06-14T13:41:08Z","related":["CGA-r2vw-h78g-2q63"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-2900"},"references":[{"type":"ADVISORY","url":"https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v"},{"type":"FIX","url":"https://github.com/open-telemetry/opentelemetry-collector/pull/10289"},{"type":"FIX","url":"https://github.com/open-telemetry/opentelemetry-collector/pull/10323"},{"type":"WEB","url":"https://opentelemetry.io/blog/2024/cve-2024-36129"}],"affected":[{"package":{"name":"go.opentelemetry.io/collector/config/configgrpc","ecosystem":"Go","purl":"pkg:golang/go.opentelemetry.io/collector/config/configgrpc"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.102.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["ClientConfig.ToClientConn","getGRPCCompressionName"],"path":"go.opentelemetry.io/collector/config/configgrpc"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2900.json"}},{"package":{"name":"go.opentelemetry.io/collector/config/confighttp","ecosystem":"Go","purl":"pkg:golang/go.opentelemetry.io/collector/config/confighttp"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.102.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["ServerConfig.ToServer","clientInfoHandler.ServeHTTP","decompressor.ServeHTTP","httpContentDecompressor"],"path":"go.opentelemetry.io/collector/config/confighttp"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2900.json"}}],"schema_version":"1.7.5"}