{"data":{"id":"dec62826-2600-44a1-a6b3-e50a7c41ba34","title":"GHSA-q7rr-3cgh-j5r3: Prometheus exporter process crash via malformed HTTP request","summary":"A malformed HTTP request can crash any Node.js application using the OpenTelemetry Prometheus exporter because the metrics endpoint (a server that collects application performance data) doesn't properly validate incoming URLs before processing them. Since this endpoint is unauthenticated and exposed by default, any network user can send a specially crafted request to crash the entire application.","solution":"Update @opentelemetry/exporter-prometheus and @opentelemetry/sdk-node to version 0.217.0 or later, and update @opentelemetry/auto-instrumentations-node to version 0.75.0 or later. This release adds proper error handling around the URL constructor, returning an HTTP 400 response on parse failure rather than crashing the process. Run: npm install @opentelemetry/exporter-prometheus@latest. As a temporary mitigation if immediate updating is not feasible: bind the endpoint to localhost only by setting the host option to 127.0.0.1, use a firewall or network policy to restrict access to port 9464 to only trusted Prometheus scrape hosts, or place the endpoint behind a reverse proxy that filters or validates incoming requests.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-q7rr-3cgh-j5r3","publishedAt":"2026-05-11T14:42:10.000Z","cveId":"CVE-2026-44902","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["@opentelemetry/auto-instrumentations-node@< 0.75.0 (fixed: 0.75.0)","@opentelemetry/sdk-node@< 0.217.0 (fixed: 0.217.0)","@opentelemetry/exporter-prometheus@< 0.217.0 (fixed: 0.217.0)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-11T14:42:10.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}