Conversation
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
grafana-plugins-platform-bot
Bot
moved this from 📬 Triage
to 🔬 In review
in Grafana Catalog Team
renovate-sh-app
Bot
changed the title
github-project-automation
Bot
moved this from 🔬 In review
to 🚀 Shipped
in Grafana Catalog Team
renovate-sh-app
Bot
deleted the
renovate/go-go.opentelemetry.io-otel-vulnerability
branch
…ity] | datasource | package | from | to | | ---------- | ------------------------ | ------- | ------- | | go | go.opentelemetry.io/otel | v1.39.0 | v1.41.0 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
renovate-sh-app
Bot
changed the title
renovate-sh-app
Bot
force-pushed
the
renovate/go-go.opentelemetry.io-otel-vulnerability
branch
from
698ad00 to
ddf4f0e
Compare
github-project-automation
Bot
moved this from 🚀 Shipped
to 💡 Ideation
in Grafana Catalog Team
renovate-sh-app
Bot
force-pushed
the
renovate/go-go.opentelemetry.io-otel-vulnerability
branch
from
ddf4f0e to
698ad00
Compare
academo
approved these changes
Apr 28, 2026
github-project-automation
Bot
moved this from 💡 Ideation
to 🔬 In review
in Grafana Catalog Team
github-project-automation
Bot
moved this from 🔬 In review
to 🚀 Shipped
in Grafana Catalog Team
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.39.0→v1.41.0Warning
Some dependencies could not be looked up. Check the warning logs for more information.
OpenTelemetry-Go: multi-value
baggageheader extraction causes excessive allocations (remote dos amplification)CVE-2026-29181 / GHSA-mh2q-q3fh-2475
More information
Details
multi-value
baggage:header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending manybaggage:header lines, even when each individual value is within the 8192-byte per-value parse limit.severity
HIGH (availability / remote request amplification)
relevant links
vulnerability details
pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)
callsite: propagation/baggage.go:58 (
extractMultiBaggage)attacker control: inbound HTTP request headers (many
baggagefield-values) →propagation.HeaderCarrier.Values("baggage")→ repeatedbaggage.Parse+ member aggregationroot cause
extractMultiBaggageiterates over allbaggageheader field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).impact
in a default
net/httpconfiguration (max header bytes 1mb), a single request with manybaggage:header field-values can cause large per-request allocations and increased latency.example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):
per_req_alloc_bytes=10315458andp95_ms=7per_req_alloc_bytes=133429andp95_ms=0proof of concept
canonical:
output (excerpt):
control:
cd poc make controlcontrol output (excerpt):
expected: multiple
baggageheader field-values should be semantically equivalent to a single comma-joinedbaggagevalue and should not multiply parsing/alloc work within the effective header byte budget.actual: multiple
baggageheader field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.fix recommendation
avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).
fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for
per_req_alloc_bytesandper_req_allocs, andp95_msstays below 2ms.poc.zip
PR_DESCRIPTION.md
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)
v1.41.0Compare Source
v1.40.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Need help?
You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.