OpenTelemetry JS Prometheus Exporter Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the OpenTelemetry JavaScript Client, specifically in versions prior to 0.217.0 of the Prometheus exporter. The issue arises because the metrics endpoint, which listens on 0.0.0.0:9464 by default, lacks proper error handling for URL parsing. As a result, a single malformed HTTP request can cause an uncaught TypeError that crashes any Node.js process using this exporter. This vulnerability is particularly concerning because the metrics endpoint is unauthenticated and accessible by any network client that can reach the metrics port.

Impact

Exploitation of this vulnerability leads to a process crash, causing a denial-of-service condition for the application.

Reproduction

To reproduce this vulnerability, start a Node.js application with the OpenTelemetry Prometheus exporter enabled, using version 0.217.0 or earlier. The exporter should be configured to listen on the default metrics port, 9464. Once the application is running, send a malformed HTTP request, such as one that includes an invalid URL, to the metrics endpoint. The Node.js process will crash immediately, displaying an uncaught TypeError indicating an invalid URL.

Remediation

Users can update the OpenTelemetry Prometheus exporter and Node.js SDK to version 0.217.0 or later. Additionally, for those using the OpenTelemetry auto-instrumentations for Node.js, version 0.75.0 or later should be installed. If an immediate update is not possible, access to the metrics endpoint should be restricted from untrusted or unauthenticated network clients.