OpenTelemetry Go SDK, Arbitrary Code Execution via PATH Hijacking, High Severity

Listen to this Post

The vulnerability in OpenTelemetry Go SDK versions 1.21.0 to 1.39.0 on macOS/Darwin systems allows arbitrary code execution via PATH hijacking. In the resource detection code at sdk/resource/host_id.go, the SDK uses exec.Command to run the ioreg system command without specifying its absolute path. This relies on the PATH environment variable to locate ioreg. An attacker with local access can modify the PATH variable to include a directory under their control. By placing a malicious executable named ioreg in that directory, when the SDK executes the command, it runs the attacker’s code instead of legitimate ioreg. This results in arbitrary code execution with the application’s privileges. The attack requires influencing the PATH, achievable through environment manipulation. The vulnerability is specific to macOS as ioreg is Darwin-specific for hardware info. The flawed code lacks path validation or fixed location, enabling search path hijacking. This can lead to application compromise if exploited. The patch in version 1.40.0 secures command execution by using the full path or validation.
Platform: OpenTelemetry Go SDK
Version: 1.21.0-1.39.0
Vulnerability: PATH Hijacking ACE
Severity: High
date: 2026-02-02

Prediction: 1.40.0 2026-02-02

What Undercode Say:

Analytics:

Vulnerable Go code from sdk/resource/host_id.go:

cmd := exec.Command("ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

Bash commands for exploitation:

echo '!/bin/sh' > /tmp/ioreg
echo 'evil_command' >> /tmp/ioreg
chmod +x /tmp/ioreg
export PATH=/tmp:$PATH

How Exploit:

Set PATH to malicious directory containing fake ioreg executable.

Protection from this CVE:

Update to version 1.40.0.

Impact:

Arbitrary code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top