{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@opentelemetry/exporter-prometheus/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@opentelemetry/exporter-prometheus","@opentelemetry/sdk-node","@opentelemetry/auto-instrumentations-node"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","otel","prometheus","CVE-2026-44902"],"_cs_type":"advisory","_cs_vendors":["OpenTelemetry"],"content_html":"\u003cp\u003eThe OpenTelemetry Prometheus exporter is vulnerable to a denial-of-service attack. A single malformed HTTP request sent to the metrics endpoint (default \u003ccode\u003e0.0.0.0:9464\u003c/code\u003e) can crash any Node.js process running the exporter. The vulnerability lies in the lack of error handling when parsing the URL from the HTTP request. Specifically, the \u003ccode\u003enew URL()\u003c/code\u003e constructor within the \u003ccode\u003e_requestHandler\u003c/code\u003e in \u003ccode\u003ePrometheusExporter.ts\u003c/code\u003e throws a \u003ccode\u003eTypeError\u003c/code\u003e when provided with an invalid URI (e.g., \u003ccode\u003ehttp://\u003c/code\u003e). Because this exception is uncaught, it propagates and terminates the process. The affected packages are \u003ccode\u003e@opentelemetry/exporter-prometheus\u003c/code\u003e, \u003ccode\u003e@opentelemetry/sdk-node\u003c/code\u003e, and \u003ccode\u003e@opentelemetry/auto-instrumentations-node\u003c/code\u003e. This vulnerability exists in versions prior to \u003ccode\u003e@opentelemetry/exporter-prometheus\u003c/code\u003e and \u003ccode\u003e@opentelemetry/sdk-node\u003c/code\u003e version 0.217.0, and \u003ccode\u003e@opentelemetry/auto-instrumentations-node\u003c/code\u003e version 0.75.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Node.js application using the OpenTelemetry Prometheus exporter.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malformed HTTP request containing an invalid URI (e.g., \u003ccode\u003eGET http:// HTTP/1.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malformed request to the application\u0026rsquo;s metrics endpoint (default port 9464).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePrometheusExporter._requestHandler\u003c/code\u003e receives the request and attempts to parse the URL using \u003ccode\u003enew URL(request.url, this._baseUrl)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eURL\u003c/code\u003e constructor throws a \u003ccode\u003eTypeError: Invalid URL\u003c/code\u003e due to the malformed URI.\u003c/li\u003e\n\u003cli\u003eThe exception is not caught within the \u003ccode\u003e_requestHandler\u003c/code\u003e, causing it to propagate.\u003c/li\u003e\n\u003cli\u003eThe uncaught exception terminates the Node.js process.\u003c/li\u003e\n\u003cli\u003eThe application becomes unavailable, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to a denial-of-service condition. Any application utilizing the OpenTelemetry Prometheus exporter\u0026rsquo;s built-in server can be crashed by an unauthenticated network packet sent to the metrics port. The vulnerability requires no prior access or privileges and can be triggered remotely, potentially affecting all instances of the application exposing the Prometheus endpoint.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@opentelemetry/exporter-prometheus\u003c/code\u003e and \u003ccode\u003e@opentelemetry/sdk-node\u003c/code\u003e to version 0.217.0 or later to resolve CVE-2026-44902.\u003c/li\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@opentelemetry/auto-instrumentations-node\u003c/code\u003e to version 0.75.0 or later to resolve CVE-2026-44902.\u003c/li\u003e\n\u003cli\u003eApply network policies to restrict access to port 9464 (or the configured metrics port) to only trusted Prometheus scrape hosts, as an interim mitigation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenTelemetry Prometheus Exporter Malformed HTTP Request\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:43:32Z","date_published":"2026-05-11T14:43:32Z","id":"https://feed.craftedsignal.io/briefs/2026-05-opentelemetry-prometheus-dos/","summary":"A malformed HTTP request can crash any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint has no error handling around URL parsing, so a request with an invalid URI causes an uncaught `TypeError` that terminates the process, leading to a denial of service. Update `@opentelemetry/exporter-prometheus` and `@opentelemetry/sdk-node` to version **0.217.0** or later and `@opentelemetry/auto-instrumentations-node` to version **0.75.0** or later to remediate.","title":"OpenTelemetry Prometheus Exporter Denial-of-Service via Malformed HTTP Request (CVE-2026-44902)","url":"https://feed.craftedsignal.io/briefs/2026-05-opentelemetry-prometheus-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — @Opentelemetry/Exporter-Prometheus","version":"https://jsonfeed.org/version/1.1"}