Skip to content

fix(deps): update dependency @opentelemetry/core to v2.8.0 [security]#4960

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-opentelemetry-core-vulnerability
Open

fix(deps): update dependency @opentelemetry/core to v2.8.0 [security]#4960
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-opentelemetry-core-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@opentelemetry/core (source) 2.0.02.8.0 age confidence

OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation

CVE-2026-54285 / GHSA-8988-4f7v-96qf

More information

Details

Overview

W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. Parsing oversized baggage causes memory allocation proportional to the header size without any cap.

Impact

The practical availability impact for most Node.js deployments is limited. Node.js enforces a default --max-http-header-size of 16,384 bytes on the total combined size of all HTTP headers, constraining what an external attacker can deliver before the propagator is reached. Additionally, the header is already in memory (parsed by the HTTP layer) by the time it reaches the propagator - the additional allocation is the overhead of splitting into entry objects, not an unbounded read.

The risk is higher when transport-layer limits are absent - e.g., non-HTTP transports (messaging systems, custom TextMapGetter implementations) or deployments that have raised --max-http-header-size.

Remediation

Update @opentelemetry/core to version 2.8.0 or later. The fix enforces limits consistent with the W3C Baggage specification at the propagator level:

  • Maximum total baggage size: 8,192 bytes
  • Maximum number of entries: 180
  • Maximum per-entry size: 4,096 bytes

Headers that exceed these limits are truncated at the point the limit is reached.

Workarounds

Ensure header size limits are configured at the server or gateway level. The default Node.js HTTP header limit (16 KB) mitigates external attack vectors independently of this fix. For non-HTTP transports receiving baggage from untrusted sources, validate input size before passing it to the propagator.

References
Credit

Reported by tonghuaroot.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

open-telemetry/opentelemetry-js (@​opentelemetry/core)

v2.8.0

Compare Source

🚀 Features
  • feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #​6690 @​mcollina
  • feat(sdk-metrics): implement metric reader self-observability metrics #​6449 @​anuraaga
  • feat(core): add hrTimeToSeconds #​6449 @​anuraaga
🐛 Bug Fixes
  • fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc

v2.7.1

Compare Source

🐛 Bug Fixes
  • fix(core, api): defer trace state validation. Deprecate trace state implementation in api #​6459 @​david-luna
    • important: this bug fix may be breaking for certain uses of TraceState
      • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
      • unset now returns the same TraceState instance if key is not present.
      • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.
🏠 Internal

v2.7.0

Compare Source

🚀 Features
🐛 Bug Fixes
  • fix(opentelemetry-resources): do not discard OTEL_RESOURCE_ATTRIBUTES when it contains empty kv pairs
🏠 Internal

v2.6.1

Compare Source

🐛 Bug Fixes
  • fix(opentelemetry-instrumentation): improve _warnOnPreloadedModules function not to show warning logs when the module is not marked as loaded #​6095 @​rlj1202
  • fix(sdk-trace-base): derive internal SpanOptions from API type to prevent drift #​6478 @​overbalance
  • fix(span): enforce attributePerEventCountLimit, attributePerLinkCountLimit, linkCountLimit, and attributeValueLengthLimit for event/link attributes #​6479 @​overbalance
🏠 Internal

v2.6.0

Compare Source

💥 Breaking Changes
  • fix(resources): update OTEL_RESOURCE_ATTRIBUTES parsing to match spec changes (open-telemetry/opentelemetry-specification#4856) #​6261 @​jacksonweber
    • Important: This fix is included in the "breaking changes" section because it can be breaking for some edge case usage of OTEL_RESOURCE_ATTRIBUTES:
      • export OTEL_RESOURCE_ATTRIBUTES=foo=bar,spam will now be fully ignored, because the spam entry is invalid (missing =). Per spec, any parsing error results in ignoring the entire environment variable.
      • export OTEL_RESOURCE_ATTRIBUTES='wat=" spaces "' will now result in {"wat": "\" spaces \""} with the double-quotes included in the value. Before this change the implementation included brittle double-quoting to allow leading and trailing whitespace in the value. To support leading or trailing whitespace now, you must percent-encode the whitespace. Internal whitespace still works without encoding, e.g. export OTEL_RESOURCE_ATTRIBUTES='green=eggs and ham'.
🚀 Features
🐛 Bug Fixes

v2.5.1

Compare Source

🐛 Bug Fixes
  • fix(opentelemetry-sdk-node): the custom value from env variable for service.instance.id should take priority over random uuid as backup #​6345 @​maryliag
🏠 Internal

v2.5.0

Compare Source

🐛 Bug Fixes
🏠 Internal

v2.4.0

Compare Source

🐛 Bug Fixes
🏠 Internal
  • chore(browser): fix CODEOWNERS paths for browser-related packages
  • refactor(sdk-metrics): remove Promise.allSettled() ponyfill #​6277 @​cjihrig

v2.3.0

Compare Source

🚀 Features
  • feat(sdk-trace-base): implement on ending in span processor #​6024 @​majanjua-amzn
    • note: this feature is experimental and subject to change
🐛 Bug Fixes
🏠 Internal

v2.2.0

Compare Source

🐛 Bug Fixes
  • fix(core): avoid leaking Node.js types via unrefTimer() util #​5986 @​pichlermarc
  • fix(core): avoid leaking Node.js types via otperformance #​5987 @​pichlermarc
    • important: this bug fix may be breaking for certain uses of otperformance
      • otperformance.now() and otperformance.timeOrigin are not affected.
      • the previously used type was incorrect and overly broad, leading to unexpected run-time behavior runtimes that are not Node.js.
      • these problems are now caught on compile-time: if you have been using this API and this change is breaking to you, please consider using your target platform's performance implementation instead.
🏠 Internal

v2.1.0

Compare Source

🚀 Features
🐛 Bug Fixes
  • fix(sdk-metrics): Remove invalid default value for startTime param to ExponentialHistogramAccumulation. This only impacted the closurescript compiler. #​5763 @​trentm
🏠 Internal

v2.0.1

Compare Source

🐛 Bug Fixes
  • fix(resources): guard asynchronous resource attribute rejections from causing unhandled promise rejection #​5544 @​dyladan
  • fix(resource): do not trigger Accessing resource attributes before async attributes settled warning when detecting resources #​5546 @​dyladan
    • verbose logging of detected resource removed
  • fix(resource): use dynamic import over require to improve ESM compliance #​5298 @​xiaoxiangmoe
  • fix(core): getNumberFromEnv should return number | undefined #​5874 @​shubham-vunet
📚 Documentation
🏠 Internal

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team June 16, 2026 19:43
@openshift-ci

openshift-ci Bot commented Jun 16, 2026

Copy link
Copy Markdown

Hi @renovate[bot]. Thanks for your PR.

I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@codecov

codecov Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.25%. Comparing base (48ca1bf) to head (62d3d30).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4960      +/-   ##
==========================================
- Coverage   55.82%   55.25%   -0.58%     
==========================================
  Files         121      109      -12     
  Lines        2350     2132     -218     
  Branches      539      537       -2     
==========================================
- Hits         1312     1178     -134     
+ Misses       1033      953      -80     
+ Partials        5        1       -4
Flag Coverage Δ
rhdh 55.25% <ø> (-0.58%) ⬇️

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 48ca1bf...62d3d30. Read the comment docs.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Image was built and published successfully. It is available at:

@renovate
fix(deps): update dependency @opentelemetry/core to v2.8.0 [security]
62d3d30 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/npm-opentelemetry-core-vulnerability branch from bae1882 to 62d3d30 Compare June 18, 2026 14:26
@sonarqubecloud

sonarqubecloud Bot commented Jun 18, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Image was built and published successfully. It is available at:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gazarenkov gazarenkov Awaiting requested review from gazarenkov

@schultzp2020 schultzp2020 Awaiting requested review from schultzp2020

Assignees

No one assigned

Labels

kind/dependency upgrade kind/security needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants