fix(deps): update module go.opentelemetry.io/otel to v1.41.0 [security] - abandoned#1819
fix(deps): update module go.opentelemetry.io/otel to v1.41.0 [security] - abandoned#1819oep-renovate[bot] wants to merge 2 commits into
Conversation
Signed-off-by: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com>
ℹ️ Artifact update noticeFile name: interactive_ai/libs/iai_core_go/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: interactive_ai/services/inference_gateway/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: interactive_ai/services/media/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: platform/services/account/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
Autoclosing SkippedThis PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error. |
This PR contains the following updates:
v1.40.0→v1.41.0OpenTelemetry-Go: multi-value
baggageheader extraction causes excessive allocations (remote dos amplification)CVE-2026-29181 / GHSA-mh2q-q3fh-2475
More information
Details
multi-value
baggage:header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending manybaggage:header lines, even when each individual value is within the 8192-byte per-value parse limit.severity
HIGH (availability / remote request amplification)
relevant links
vulnerability details
pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)
callsite: propagation/baggage.go:58 (
extractMultiBaggage)attacker control: inbound HTTP request headers (many
baggagefield-values) →propagation.HeaderCarrier.Values("baggage")→ repeatedbaggage.Parse+ member aggregationroot cause
extractMultiBaggageiterates over allbaggageheader field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).impact
in a default
net/httpconfiguration (max header bytes 1mb), a single request with manybaggage:header field-values can cause large per-request allocations and increased latency.example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):
per_req_alloc_bytes=10315458andp95_ms=7per_req_alloc_bytes=133429andp95_ms=0proof of concept
canonical:
output (excerpt):
control:
cd poc make controlcontrol output (excerpt):
expected: multiple
baggageheader field-values should be semantically equivalent to a single comma-joinedbaggagevalue and should not multiply parsing/alloc work within the effective header byte budget.actual: multiple
baggageheader field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.fix recommendation
avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).
fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for
per_req_alloc_bytesandper_req_allocs, andp95_msstays below 2ms.poc.zip
PR_DESCRIPTION.md
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
OpenTelemetry-Go: multi-value
baggageheader extraction causes excessive allocations (remote dos amplification)CVE-2026-29181 / GHSA-mh2q-q3fh-2475
More information
Details
multi-value
baggage:header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending manybaggage:header lines, even when each individual value is within the 8192-byte per-value parse limit.severity
HIGH (availability / remote request amplification)
relevant links
vulnerability details
pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)
callsite: propagation/baggage.go:58 (
extractMultiBaggage)attacker control: inbound HTTP request headers (many
baggagefield-values) →propagation.HeaderCarrier.Values("baggage")→ repeatedbaggage.Parse+ member aggregationroot cause
extractMultiBaggageiterates over allbaggageheader field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).impact
in a default
net/httpconfiguration (max header bytes 1mb), a single request with manybaggage:header field-values can cause large per-request allocations and increased latency.example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):
per_req_alloc_bytes=10315458andp95_ms=7per_req_alloc_bytes=133429andp95_ms=0proof of concept
canonical:
output (excerpt):
control:
cd poc make controlcontrol output (excerpt):
expected: multiple
baggageheader field-values should be semantically equivalent to a single comma-joinedbaggagevalue and should not multiply parsing/alloc work within the effective header byte budget.actual: multiple
baggageheader field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.fix recommendation
avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).
fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for
per_req_alloc_bytesandper_req_allocs, andp95_msstays below 2ms.poc.zip
PR_DESCRIPTION.md
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)
v1.41.0: /v0.63.0/v0.17.0/v0.0.15Compare Source
This release is the last to support Go 1.24. The next release will require at least Go 1.25.
Added
Fixed
Baggageingo.opentelemetry.io/otel/propagationandParseandNewingo.opentelemetry.io/otel/baggageto comply with W3C Baggage specification limits.NewandParsenow return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. (#7880)What's Changed
ce8ad4cby @renovate[bot] in #7860fe4bb1cby @renovate[bot] in #7861aaaaaa5by @renovate[bot] in #7869546029dby @renovate[bot] in #787186a5c4bby @renovate[bot] in #78762842357by @renovate[bot] in #78914cfbd41by @renovate[bot] in #7889oteltracegrpcby @itssaharsh in #78259f66faeby @renovate[bot] in #7898otlptracehttpbefore performing operation by @itssaharsh in #7881d566b4dby @renovate[bot] in #7972New Contributors
Full Changelog: open-telemetry/opentelemetry-go@v1.40.0...v1.41.0
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate.