GHSA-vc24-j8c5-2vw4: OpenTelemetry.Resources.Azure has an unbounded HTTP response body read
Summary
OpenTelemetry.Resources.Azure has a vulnerability where it reads unlimited amounts of data from Azure VM metadata service responses into memory, allowing an attacker to cause the application to crash by sending extremely large responses (a denial of service attack where the system runs out of memory). This affects applications using the Azure VM resource detector that connect to a compromised or intercepted metadata endpoint.
Solution / Mitigation
Fixed in OpenTelemetry.Resources.Azure version 1.15.0-beta.2. The fix introduces limits to HttpClient requests so that response bodies are streamed rather than loaded entirely into memory, with responses greater than 4 MiB being ignored. As workarounds, you can disable the Azure VM resource detector or use network-level controls (firewall rules, mTLS, or service mesh) to prevent Man-in-the-Middle attacks on the Azure VM instance metadata endpoint.
Vulnerability Details
EPSS: 0.0%
Yes
April 29, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-vc24-j8c5-2vw4
First tracked: April 29, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%