Opentelemetry

A remotely reachable integer overflow in OpenTelemetry eBPF Instrumentation's (OBI) memcached text protocol parser can crash the OBI process, causing a denial of service due to unchecked arithmetic when handling large payload sizes in memcached storage commands.

Malformed MongoDB wire messages can trigger uncaught panics in the OpenTelemetry eBPF Instrumentation agent's MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service.

The OpenTelemetry eBPF Instrumentation (OBI) Postgres protocol parser is vulnerable to a remote availability issue - when processing BIND messages, the parser assumes payloads contain a valid NUL-terminated portal name; a crafted empty or unterminated payload can cause OBI to slice beyond the end of the captured buffer, triggering a runtime panic and crashing the agent.

A malformed HTTP request can crash any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint has no error handling around URL parsing, so a request with an invalid URI causes an uncaught `TypeError` that terminates the process, leading to a denial of service. Update `@opentelemetry/exporter-prometheus` and `@opentelemetry/sdk-node` to version **0.217.0** or later and `@opentelemetry/auto-instrumentations-node` to version **0.75.0** or later to remediate.

A server-side authentication bypass vulnerability exists in opentelemetry-collector-contrib's azureauthextension versions 0.124.0 through 0.150.0, allowing attackers with a valid Azure access token to authenticate to any OpenTelemetry receiver that uses `auth: azure_auth` due to improper JWT validation.