GHSA-2jc5-xhx8-qj6h: fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry`
Summary
The fluent-plugin-opentelemetry plugin's HTTP input lacks size limits, allowing attackers to send huge or highly compressed files that consume excessive memory when decompressed, causing a DoS (denial of service, a type of attack that makes a service unavailable) attack by crashing the Fluentd logging process. If the OpenTelemetry endpoint (a connection point that accepts telemetry data) is exposed to untrusted networks, an attacker can exploit this to disrupt all log collection on the affected server.
Solution / Mitigation
Upgrade to v0.5.3. If immediate upgrade is not possible, restrict network access to the OpenTelemetry ingestion port (default 4318) using firewall rules to only trusted networks, or place a reverse proxy like Nginx in front of Fluentd to handle decompression and enforce strict size limits on both compressed and uncompressed request bodies before sending traffic to Fluentd.
Vulnerability Details
EPSS: 0.0%
Yes
June 26, 2026
Classification
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-2jc5-xhx8-qj6h
First tracked: June 26, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%