{"data":{"id":"2106a84b-c008-405c-b78b-d5d8bafdd3e5","title":"GHSA-28xm-prxc-5866: OpenTelemetry.Sampler.AWS & OpenTelemetry.Resources.AWS have unbounded HTTP response body reads","summary":"Two OpenTelemetry libraries have a vulnerability where they read entire HTTP response bodies into memory without any size limit. An attacker controlling a remote endpoint or intercepting traffic (MitM, or man-in-the-middle attack, where someone secretly relays communications between two parties) could send a huge response to exhaust the application's memory and cause it to crash through an Out of Memory error.","solution":"Fixed in OpenTelemetry.Sampler.AWS version 0.1.0-alpha.8 and OpenTelemetry.Resources.AWS version 1.15.1. The fixes introduce limits to HttpClient requests so that the response body is streamed rather than buffered entirely in memory. Additionally, workarounds include: ensuring the X-Ray sampling endpoint is not accessible to untrusted parties, using network-level controls (firewall rules, mTLS, service mesh) to prevent Man-in-the-Middle attacks, and if using a remote endpoint, placing it behind a reverse proxy that enforces a response body size limit.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-28xm-prxc-5866","publishedAt":"2026-04-23T21:44:31.000Z","cveId":"CVE-2026-41173","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["OpenTelemetry.Resources.AWS@< 1.15.1 (fixed: 1.15.1)","OpenTelemetry.Sampler.AWS@< 0.1.0-alpha.8 (fixed: 0.1.0-alpha.8)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry","AWS"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-23T21:44:31.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.72,"researchCategory":null,"atlasIds":null}}