GHSA-55m9-299j-53c7: OneCollector exporter reads unbounded HTTP response bodies
Summary
The OneCollector exporter (a tool that sends telemetry data, which is information about how a program is running, to a backend server) has a flaw where it reads error responses from failed HTTP requests without limiting how much data it accepts. If an attacker controls the backend server or intercepts the connection, they can send an extremely large response that exhausts the application's memory and crashes it (a denial-of-service attack, where a system is made unavailable).
Solution / Mitigation
Update to the version with PR #4117 applied, which limits the number of bytes read from error response bodies to 4MiB (megabytes). Additionally, use network-level controls like firewall rules, mTLS (mutual TLS, a security protocol for encrypting connections), or a service mesh to prevent Man-in-the-Middle attacks on the configured backend/collector endpoint.
Vulnerability Details
EPSS: 0.0%
Yes
April 29, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-55m9-299j-53c7
First tracked: April 29, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%