GHSA-q7rr-3cgh-j5r3: Prometheus exporter process crash via malformed HTTP request
Summary
A malformed HTTP request can crash any Node.js application using the OpenTelemetry Prometheus exporter because the metrics endpoint (a server that collects application performance data) doesn't properly validate incoming URLs before processing them. Since this endpoint is unauthenticated and exposed by default, any network user can send a specially crafted request to crash the entire application.
Solution / Mitigation
Update @opentelemetry/exporter-prometheus and @opentelemetry/sdk-node to version 0.217.0 or later, and update @opentelemetry/auto-instrumentations-node to version 0.75.0 or later. This release adds proper error handling around the URL constructor, returning an HTTP 400 response on parse failure rather than crashing the process. Run: npm install @opentelemetry/exporter-prometheus@latest. As a temporary mitigation if immediate updating is not feasible: bind the endpoint to localhost only by setting the host option to 127.0.0.1, use a firewall or network policy to restrict access to port 9464 to only trusted Prometheus scrape hosts, or place the endpoint behind a reverse proxy that filters or validates incoming requests.
Vulnerability Details
EPSS: 0.0%
Yes
May 11, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-q7rr-3cgh-j5r3
First tracked: May 11, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%