Listen to this Post
When an OTLP exporter (gRPC/HTTP) receives a 4xx or 5xx error response, the original exporter read the entire response body into memory without enforcing any size limits. The vulnerability stems from a debugging feature added in pull request open-telemetry/opentelemetry-dotnet6564, which aimed to log the full error body to aid operators. An attacker controlling the collector endpoint (or performing a MitM attack) can exploit this by returning an arbitrarily large error response, causing the application to allocate an unbounded amount of heap memory. This leads to memory exhaustion, garbage-collection stalls, and ultimately an OutOfMemoryException, crashing the consuming process. The issue affects OTLP exporters for traces, metrics, and logs. The fix, implemented in pull request open-telemetry/opentelemetry-dotnet7017, caps the read limit at 4 MiB and only attempts to read the body if OpenTelemetry error logging is enabled.
Platform: .NET
Version: 1.13.1 to 1.15.2
Vulnerability: Memory exhaustion
Severity: Medium
date: 2026-04-23
Prediction: Patch already shipped
What Undercode Say:
Check your OpenTelemetry .NET package version dotnet list package --include-transitive | grep OpenTelemetry.Exporter.OpenTelemetryProtocol If vulnerable (1.13.1 <= version < 1.15.2), update immediately dotnet add package OpenTelemetry.Exporter.OpenTelemetryProtocol --version 1.15.2
How Exploit:
An attacker controlling the collector endpoint returns a huge HTTP 500 error response:
Malicious collector sending a 1 GB error response
curl -X POST https://malicious-collector/v1/traces -d '...' \
-H "Content-Type: application/x-protobuf" \
--write-out 'HTTP %{http_code}\n' \
--output /dev/null
Protection:
1. Update to OpenTelemetry .NET ≥ 1.15.2
2. Ensure collector endpoints are trusted
3. Use mTLS to prevent MitM attacks
4. Monitor memory usage with `dotnet counters`
Impact:
Denial of service via memory exhaustion, potentially crashing the entire application.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

