OpenTelemetry .NET OneCollector Exporter Uncontrolled Memory Consumption Vulnerability

A denial-of-service vulnerability has been identified in the OpenTelemetry.Exporter.OneCollector package for .NET, affecting versions through 1.15.0. The issue arises in the HttpJsonPostTransport class, which reads the entire response body of unsuccessful HTTP requests (4xx or 5xx) into memory without any size limit. This behavior can be exploited if the response is controlled by an attacker or intercepted during transmission, leading to unbounded heap allocation. The excessive memory use can cause garbage collection stalls or trigger an OutOfMemoryException, terminating the application process.

Impact

Exploitation of this vulnerability can exhaust the application's memory, causing a denial-of-service condition by creating high transient memory pressure, leading to garbage-collection stalls or an OutOfMemoryException that terminates the process.

Remediation

Users can update to OpenTelemetry.Exporter.OneCollector version 1.15.1 or later, which addresses the vulnerability by limiting the response body size read in error conditions to 4 MiB. Additionally, network-level controls such as firewall rules, mTLS, or a service mesh can be used to prevent man-in-the-middle attacks on the configured back-end or collector endpoint.