Listen to this Post
This vulnerability resides in the Zipkin exporter component of the OpenTelemetry .NET SDK, which is used to send telemetry data to a Zipkin backend. The exporter maintains an internal remote endpoint cache. For each exported span, the exporter extracts unique combination of span attributes to construct a key that identifies the remote service endpoint. When processing spans in high-cardinality scenarios—such as those with user IDs, request IDs, or other highly variable span attributes—the number of unique keys grows without any bound. The cache implementation lacks a maximum size limit or an eviction policy. As a result, each new unique remote endpoint key is permanently added to the cache, causing the cache to expand monotonically. Sustained high-cardinality traffic can cause the cache to accumulate millions of distinct entries. This unbounded growth steadily increases the process’s private memory consumption. As memory usage rises, garbage collection becomes more frequent, leading to degraded performance, increased latency, and eventual out-of-memory (OOM) conditions. The process may crash or exhibit denial-of-service (DoS) behavior, disrupting telemetry collection. The fix replaces the unbounded cache with a bounded, thread-safe LRU (least recently used) cache policed on a fixed maximum size, preventing uncontrolled memory consumption.
Platform: .NET, NuGet
Version: ≤1.15.2
Vulnerability: Unbounded memory
Severity: Moderate
Date: 2026-04-28
Prediction: 2026-05-12
What Undercode Say:
Analytics:
To audit your project for the vulnerable package version:
dotnet list package --outdated | grep OpenTelemetry.Exporter.Zipkin grep -E 'OpenTelemetry.Exporter.Zipkin' .csproj
To simulate high-cardinality span attribute memory growth (proof-of-concept):
for (int i = 0; i < 1000000; i++)
{
using var activity = source.StartActivity($"Op{i}");
activity?.SetTag("endpoint.id", Guid.NewGuid().ToString());
}
Exploit:
An attacker can cause an application to export spans with a large number of unique remote endpoint values, exhausting system memory and crashing the process.
Protection from this CVE:
Upgrade to OpenTelemetry.Exporter.Zipkin version 1.15.3 or later. Mitigate by manually limiting span attribute cardinality or disabling the Zipkin exporter.
Impact:
Unbounded memory growth leading to excessive resource consumption, application slowdown, or denial of service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
