OpenTelemetry (CVE-2026-41173): Unbounded HTTP Response Body Read Leading to Denial of Service (Critical)

Listen to this Post

The CVE-2026-41173 vulnerability resides in two OpenTelemetry .NET components: `OpenTelemetry.Sampler.AWS` and OpenTelemetry.Resources.AWS. Both components are susceptible to a Denial of Service (DoS) attack due to unbounded memory allocation when handling HTTP responses.

How CVE-2026-41173 Works

The vulnerability manifests when these components interact with potentially untrusted endpoints, as detailed below:
1. Root Cause in OpenTelemetry.Sampler.AWS: The `AWSXRaySamplerClient.DoRequestAsync` method uses `HttpClient.SendAsync` followed by ReadAsStringAsync().
2. Unbounded Memory Allocation: This approach reads the entire HTTP response body into a single, in-memory string without any size limitations.
3. Configurable Endpoint: The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint, with a default value of http://localhost:2000`.
4. Attacker's Leverage: An attacker who controls the configured endpoint, or can intercept traffic to it (Man-in-the-Middle), can return an arbitrarily large response body.
5. Impact of Large Response: This unbounded response causes excessive heap allocation in the consuming process, leading to high transient memory pressure.
6. Potential Consequences: The excessive memory pressure can cause garbage-collection stalls or an
OutOfMemoryException, which terminates the process.
7. Root Cause in
OpenTelemetry.Resources.AWS: TheAWSEC2Detector,AWSECSDetector, and `AWSEKSDetector` classes make HTTP requests to AWS metadata services.
8. Attack Vector: An attacker who controls these endpoints or intercepts the traffic can similarly return an oversized HTTP response body.
9. Denial of Service: In both cases, the result is a Denial of Service (DoS), destabilizing or crashing the application.
10. Mitigating Factors: The default X-Ray sampling endpoint is
http://localhost:2000`, which limits remote exposure.
11. Patches: The vulnerability is fixed in `OpenTelemetry.Sampler.AWS` version `0.1.0-alpha.8` and `OpenTelemetry.Resources.AWS` version 1.15.1.
12. Fix Implementation: The patches introduce size limits to `HttpClient` requests, streaming the response body instead of buffering it entirely in memory.
13. Workaround: Ensure the X-Ray sampling endpoint is not accessible to untrusted parties and use network-level controls to prevent MitM attacks.
14. CVSS Score: This vulnerability is classified as CRITICAL due to its potential for remote, unauthenticated Denial of Service.

DailyCVE Form

Platform: `OpenTelemetry.NET`
Version: `<0.1.0-alpha.8` Vulnerability: `Unbounded HTTP Read` Severity: `Critical` Date: `2026-04-23`

Prediction: `Patched 2026-04-14`

What Undercode Say

Check vulnerable versions
dotnet list package --outdated | grep -E "(OpenTelemetry.Sampler.AWS|OpenTelemetry.Resources.AWS)"
Verify memory pressure from large responses
curl -X GET http://localhost:2000 -H "Content-Length: 1000000000"
Upgrade to patched versions
dotnet add package OpenTelemetry.Sampler.AWS --version 0.1.0-alpha.8
dotnet add package OpenTelemetry.Resources.AWS --version 1.15.1

Exploit

  1. Identify a target application using vulnerable `OpenTelemetry` packages.
  2. Act as a Man-in-the-Middle (MitM) to intercept HTTP requests to the configured sampling endpoint (default: localhost:2000) or metadata service.
  3. Return an HTTP response with an extremely large body (e.g., several gigabytes).
  4. The vulnerable method `ReadAsStringAsync()` will read the entire response into memory.
  5. The application will experience high memory pressure, leading to garbage collection stalls.
  6. Eventually, an `OutOfMemoryException` is thrown, crashing the application and achieving a Denial of Service (DoS).

Protection from this CVE

Upgrade: Immediately update to `OpenTelemetry.Sampler.AWS` version `0.1.0-alpha.8` or higher and `OpenTelemetry.Resources.AWS` version `1.15.1` or higher.
Network Segmentation: Isolate the sampling endpoint (e.g., localhost:2000) to prevent remote access by untrusted parties.
Traffic Encryption: Enforce mTLS or service mesh to prevent Man-in-the-Middle (MitM) attacks on the communication channel.
Reverse Proxy: Place any remote endpoint behind a reverse proxy that enforces a response body size limit.
Monitor: Observe memory utilization and HTTP response sizes from AWS metadata services.

Impact

Primary: Remote, unauthenticated attackers can cause a Denial of Service (DoS) by crashing the application or service.
Secondary: Excessive memory consumption can lead to performance degradation for other services running on the same host.
Business: Application downtime, increased operational costs for auto-scaling and recovery, and potential data loss if the application crashes during a write operation.
Risk: Critical, as the attack can be performed without any prior authentication or privileges, simply by returning a large HTTP response.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top