Skip to content

chore(deps): update dependency opentelemetry.api to 1.15.3 [security]#125

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/nuget-opentelemetry.api-vulnerability
Open

chore(deps): update dependency opentelemetry.api to 1.15.3 [security]#125
renovate[bot] wants to merge 1 commit intomainfrom
renovate/nuget-opentelemetry.api-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 23, 2026

This PR contains the following updates:

Package Change Age Confidence
OpenTelemetry.Api (source) 1.12.01.15.3 age confidence

OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers

CVE-2026-40894 / GHSA-g94r-2vxg-569j

More information

Details

Summary

The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application.

Details
Exceeding Limits

BaggagePropagator.Inject<T>() does not enforce the length limit of 8192 characters if the injected baggage contains only one item.

This change was introduced by #​1048.

Excessive allocation

The following methods eagerly allocate intermediate arrays before applying size limits.

Impact

Excessively large propagation headers, particularly in degenerate/malformed cases that consist or large numbers of delimiter characters, can allocate excessive amounts of memory for intermediate storage of parsed content relative to the size of the original input.

Mitigation

HTTP servers often set maximum limits on the length of HTTP request headers, such as Internet Information Services (IIS) which sets a default limit of 16KB and nginx which sets a default limit of 8KB.

Workarounds

Possible workarounds include:

  • Configuring appropriate HTTP request header limits.
  • Disabling baggage and/or trace propagation.
Remediation

#​7061 refactors the handling of baggage, B3 and Jaeger propagation headers to stop parsing eagerly when limits are exceeded and avoid allocating intermediate arrays.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

open-telemetry/opentelemetry-dotnet (OpenTelemetry.Api)

v1.15.3

Release details: 1.15.3

  • Breaking change: Fixed tracestate parsing to reject keys that do not
    begin with a lowercase letter, including keys beginning with digits, to
    align with the W3C Trace Context specification.
  • Breaking change: Fixed an insecure disk retry default for OTLP export.
    Disk retry now requires OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH
    when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk is configured.
  • Improve efficiency of parsing of baggage and B3 propagation headers.
  • OtlpLogExporter now uses IHttpClientFactory on .NET 8+.
  • Fixed an issue in OTLP/gRPC retry handling where parsing gRPC status.
  • Fixed OTEL_SPAN_ATTRIBUTE_VALUE_LENGTH_LIMIT not being applied.
  • Fixed baggage and trace headers not respecting the maximum length in some cases.
  • Fixed BaggagePropagator to trim optional whitespace (OWS) around =
    separators when parsing the baggage header.
  • Fixed BaggagePropagator to strip baggage properties from values when
    parsing the baggage header.
  • Fixed OTLP persistent storage clean-up handling for malformed filenames.
  • Fixed resource leak in batch and periodic exporting task workers for Blazor/WASM.
  • Fixed LogRecord.LogLevel to preserve LogLevel.None.
  • Fixed OTEL_TRACES_SAMPLER_ARG handling for out-of-range values.
  • Fixed an issue with OTLP disk retry storage where metrics and logs used the
    traces storage directory.
  • Fixed full OTLP endpoint being logged by internal diagnostics.
  • Improve efficiency of parsing of baggage, B3 and Jaeger propagation headers.
  • Hardened Zipkin exporter memory usage for endpoint caching and array tag
    serialization.

v1.15.2

Release details: 1.15.2

  • Limit how much of the response body is read by the OTLP exporter when
    export fails and error logging is enabled.
  • Added Task-based worker support for BatchExportProcessor and
    PeriodicExportingMetricReader to enable the OpenTelemetry SDK to work
    in single-threaded WebAssembly environments such as Blazor and
    Uno Platform.

v1.15.1

Release details: 1.15.1

  • Breaking change: The Baggage API now disallows empty baggage names and
    treats baggage names and values as case sensitive, aligning with the latest
    Baggage API specification.
  • Various bug fixes across OpenTelemetry.Api and OpenTelemetry SDK,
    including fixes for thread-safety, sampler edge cases, metrics precision,
    and observable instrument lifecycle handling.

v1.15.0

Release details: 1.15.0

  • Added support for ActivitySource.TelemetrySchemaUrl
    and Meter.TelemetrySchemaUrl properties across exporters.
  • Improved performance and reduced memory consumption for metrics histograms.
  • Added mTLS configuration support for the OTLP exporter (client cert/key and
    CA certificate options).
  • OpenTelemetry.Exporter.Zipkin is deprecated and will stop receiving updates
    in December 2026. Zipkin already supports OTLP ingestion.
    Migrate to OpenTelemetry.Exporter.OpenTelemetryProtocol as stated
    in the Deprecating Zipkin Exporter blog post.

v1.14.0

Release details: 1.14.0

  • Add support for .NET 10.0.
  • Breaking Change When targeting net8.0, the package now depends on version
    8.0.0 of the Microsoft.Extensions.DependencyInjection.Abstractions,
    Microsoft.Extensions.Diagnostics.Abstractions,
    Microsoft.Extensions.Hosting.Abstractions and
    Microsoft.Extensions.Logging.Configuration NuGet packages.
  • Update System.Diagnostics.DiagnosticSource dependency to 10.0.0
    for all target frameworks.
  • Update Microsoft.Extensions.* dependencies to 10.0.0
    for .NET Framework and .NET Standard.
  • Breaking Change NuGet packages now use the Sigstore bundle format
    (.sigstore.json) for digital signatures instead of separate signature
    (.sig) and certificate (.pem) files. This requires cosign 3.0 or later
    for verification. See the Digital signing
    section     for updated verification instructions.

v1.13.1

Release details: 1.13.1

  • In version 1.13.0, the digital signature (.dll-keyless.sig) and
    certificate (.dll-keyless.pem) files were unintentionally omitted from the
    published NuGet packages.
  • This hotfix restores the Sigstore signing artifacts for all target frameworks
    (net462, netstandard2.0, netstandard2.1, net8.0, net9.0), ensuring
    the integrity of DLL verification using Sigstore cosign.

v1.13.0

Release details: 1.13.0

  • gRPC calls to export traces, logs, and metrics using OtlpExportProtocol.Grpc
    now set the TE=trailers HTTP request header to improve interoperability.
  • EventName is now exported by default as EventName instead of
    logrecord.event.name when specified through ILogger or the experimental
    log bridge API.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants