Skip to content

chore(deps): update module go.opentelemetry.io/otel to v1.41.0 [security] - abandoned#51

Open
alaudaa-renovate[bot] wants to merge 1 commit into
alauda-v0.34.2from
renovate/go-go.opentelemetry.io-otel-vulnerability
Open

chore(deps): update module go.opentelemetry.io/otel to v1.41.0 [security] - abandoned#51
alaudaa-renovate[bot] wants to merge 1 commit into
alauda-v0.34.2from
renovate/go-go.opentelemetry.io-otel-vulnerability

Conversation

@alaudaa-renovate

@alaudaa-renovate alaudaa-renovate Bot commented May 10, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
go.opentelemetry.io/otel v1.36.0 -> v1.41.0 age confidence

OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

CVE-2026-29181 / GHSA-mh2q-q3fh-2475

More information

Details

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links
vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage)
attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

  • canonical: per_req_alloc_bytes=10315458 and p95_ms=7
  • control: per_req_alloc_bytes=133429 and p95_ms=0
proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget.
actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip
PR_DESCRIPTION.md

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)

v1.41.0: /v0.63.0/v0.17.0/v0.0.15

Compare Source

This release is the last to support Go 1.24. The next release will require at least Go 1.25.

Added
Fixed
  • Update Baggage in go.opentelemetry.io/otel/propagation and Parse and New in go.opentelemetry.io/otel/baggage to comply with W3C Baggage specification limits. New and Parse now return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. (#​7880)

What's Changed

New Contributors

Full Changelog: open-telemetry/opentelemetry-go@v1.40.0...v1.41.0

v1.40.0

Compare Source

Added
  • Add go.opentelemetry.io/otel/semconv/v1.40.0 package.
    The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#​7985)
  • Add Err and SetErr on Record in go.opentelemetry.io/otel/log to attach an error and set record exception attributes in go.opentelemetry.io/otel/log/sdk. (#​7924)
Changed
  • TracerProvider.ForceFlush in go.opentelemetry.io/otel/sdk/trace joins errors together and continues iteration through SpanProcessors as opposed to returning the first encountered error without attempting exports on subsequent SpanProcessors. (#​7856)
Fixed
  • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to correctly handle HTTP2 GOAWAY frame. (#​7931)
  • Fix semconv v1.39.0 generated metric helpers skipping required attributes when extra attributes were empty. (#​7964)
  • Preserve W3C TraceFlags bitmask (including the random Trace ID flag) during trace context extraction and injection in go.opentelemetry.io/otel/propagation. (#​7834)
Removed
  • Drop support for [Go 1.24]. (#​7984)

v1.39.0

Compare Source

Added
  • Add go.opentelemetry.io/otel/semconv/v1.40.0 package.
    The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#​7985)
  • Add Err and SetErr on Record in go.opentelemetry.io/otel/log to attach an error and set record exception attributes in go.opentelemetry.io/otel/log/sdk. (#​7924)
Changed
  • TracerProvider.ForceFlush in go.opentelemetry.io/otel/sdk/trace joins errors together and continues iteration through SpanProcessors as opposed to returning the first encountered error without attempting exports on subsequent SpanProcessors. (#​7856)
Fixed
  • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to correctly handle HTTP2 GOAWAY frame. (#​7931)
  • Fix semconv v1.39.0 generated metric helpers skipping required attributes when extra attributes were empty. (#​7964)
  • Preserve W3C TraceFlags bitmask (including the random Trace ID flag) during trace context extraction and injection in go.opentelemetry.io/otel/propagation. (#​7834)
Removed
  • Drop support for [Go 1.24]. (#​7984)

v1.38.0

Compare Source

Added
  • Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#​7724)
  • Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric.
    This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#​7763)
  • Add go.opentelemetry.io/otel/semconv/v1.39.0 package.
    The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#​7783, #​7789)
Changed
  • Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#​7443)
  • Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#​7447)
  • Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#​7474)
  • Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#​7478)
  • Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#​7492)
  • Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus.
    This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#​7688)
  • Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#​7702)
  • The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#​7854)
  • The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#​7854)
Fixed
  • Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#​7662)
  • Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#​7662)
  • Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#​7662)
  • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP/2 GOAWAY frame. (#​7794)
  • WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#​7818)
Deprecated

v1.37.0

Compare Source

Added
  • Greatly reduce the cost of recording metrics in go.opentelemetry.io/otel/sdk/metric using hashing for map keys. (#​7175)
  • Add WithInstrumentationAttributeSet option to go.opentelemetry.io/otel/log, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/trace packages.
    This provides a concurrent-safe and performant alternative to WithInstrumentationAttributes by accepting a pre-constructed attribute.Set. (#​7287)
  • Add experimental observability for the Prometheus exporter in go.opentelemetry.io/otel/exporters/prometheus.
    Check the go.opentelemetry.io/otel/exporters/prometheus/internal/x package documentation for more information. (#​7345)
  • Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​7353)
  • Add temporality selector functions DeltaTemporalitySelector, CumulativeTemporalitySelector, LowMemoryTemporalitySelector to go.opentelemetry.io/otel/sdk/metric. (#​7434)
  • Add experimental observability metrics for simple log processor in go.opentelemetry.io/otel/sdk/log. (#​7548)
  • Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​7459)
  • Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​7486)
  • Add experimental observability metrics for simple span processor in go.opentelemetry.io/otel/sdk/trace. (#​7374)
  • Add experimental observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​7512)
  • Add experimental observability metrics for manual reader in go.opentelemetry.io/otel/sdk/metric. (#​7524)
  • Add experimental observability metrics for periodic reader in go.opentelemetry.io/otel/sdk/metric. (#​7571)
  • Support OTEL_EXPORTER_OTLP_LOGS_INSECURE and OTEL_EXPORTER_OTLP_INSECURE environmental variables in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​7608)
  • Add Enabled method to the Processor interface in go.opentelemetry.io/otel/sdk/log.
    All Processor implementations now include an Enabled method. (#​7639)
  • The go.opentelemetry.io/otel/semconv/v1.38.0 package.
    The package contains semantic conventions from the v1.38.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.37.0.(#​7648)
Changed
  • Distinct in go.opentelemetry.io/otel/attribute is no longer guaranteed to uniquely identify an attribute set.
    Collisions between Distinct values for different Sets are possible with extremely high cardinality (billions of series per instrument), but are highly unlikely. (#​7175)
  • WithInstrumentationAttributes in go.opentelemetry.io/otel/trace synchronously de-duplicates the passed attributes instead of delegating it to the returned TracerOption. (#​7266)
  • WithInstrumentationAttributes in go.opentelemetry.io/otel/meter synchronously de-duplicates the passed attributes instead of delegating it to the returned MeterOption. (#​7266)
  • WithInstrumentationAttributes in go.opentelemetry.io/otel/log synchronously de-duplicates the passed attributes instead of delegating it to the returned LoggerOption. (#​7266)
  • Rename the OTEL_GO_X_SELF_OBSERVABILITY environment variable to OTEL_GO_X_OBSERVABILITY in go.opentelemetry.io/otel/sdk/trace, go.opentelemetry.io/otel/sdk/log, and go.opentelemetry.io/otel/exporters/stdout/stdouttrace. (#​7302)
  • Improve performance of histogram Record in go.opentelemetry.io/otel/sdk/metric when min and max are disabled using NoMinMax. (#​7306)
  • Improve error handling for dropped data during translation by using prometheus.NewInvalidMetric in go.opentelemetry.io/otel/exporters/prometheus.
    ⚠️ Breaking Change: Previously, these cases were only logged and scrapes succeeded.
    Now, when translation would drop data (e.g., invalid label/value), the exporter emits a NewInvalidMetric, and Prometheus scrapes fail with HTTP 500 by default.
    To preserve the prior behavior (scrapes succeed while errors are logged), configure your Prometheus HTTP handler with: promhttp.HandlerOpts{ ErrorHandling: promhttp.ContinueOnError }. (#​7363)
  • Replace fnv hash with xxhash in go.opentelemetry.io/otel/attribute for better performance. (#​7371)
  • The default TranslationStrategy in go.opentelemetry.io/exporters/prometheus is changed from otlptranslator.NoUTF8EscapingWithSuffixes to otlptranslator.UnderscoreEscapingWithSuffixes. (#​7421)
  • Improve performance of concurrent measurements in go.opentelemetry.io/otel/sdk/metric. (#​7427)
  • Include W3C TraceFlags (bits 0–7) in the OTLP Span.Flags field in go.opentelemetry.io/exporters/otlp/otlptrace/otlptracehttp and go.opentelemetry.io/exporters/otlp/otlptrace/otlptracegrpc. (#​7438)
  • The ErrorType function in go.opentelemetry.io/otel/semconv/v1.37.0 now handles custom error types.
    If an error implements an ErrorType() string method, the return value of that method will be used as the error type. (#​7442)
Fixed
  • Fix WithInstrumentationAttributes options in go.opentelemetry.io/otel/trace, go.opentelemetry.io/otel/metric, and go.opentelemetry.io/otel/log to properly merge attributes when passed multiple times instead of replacing them.
    Attributes with duplicate keys will use the last value passed. (#​7300)
  • The equality of attribute.Set when using the Equal method is not affected by the user overriding the empty set pointed to by attribute.EmptySet in go.opentelemetry.io/otel/attribute. (#​7357)
  • Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​7372)
  • Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​7372)
  • Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​7372)
  • Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​7372)
  • Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​7372)
  • Return partial OTLP export errors to the caller in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​7372)
  • Fix AddAttributes, SetAttributes, SetBody on Record in go.opentelemetry.io/otel/sdk/log to not mutate input. (#​7403)
  • Do not double record measurements of RecordSet methods in go.opentelemetry.io/otel/semconv/v1.37.0. (#​7655)
  • Do not double record measurements of RecordSet methods in go.opentelemetry.io/otel/semconv/v1.36.0. (#​7656)
Removed
  • Drop support for [Go 1.23]. (#​7274)
  • Remove the FilterProcessor interface in go.opentelemetry.io/otel/sdk/log.
    The Enabled method has been added to the Processor interface instead.
    All Processor implementations must now implement the Enabled method.
    Custom processors that do not filter records can implement Enabled to return true. (#​7639)

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@alaudaa-renovate alaudaa-renovate Bot added the dependencies Pull requests that update a dependency file label May 10, 2026
@alaudaa-renovate

alaudaa-renovate Bot commented May 10, 2026

Copy link
Copy Markdown
Author

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 4 additional dependencies were updated

Details:

Package Change
github.com/stretchr/testify v1.10.0 -> v1.11.1
go.opentelemetry.io/auto/sdk v1.1.0 -> v1.2.1
go.opentelemetry.io/otel/metric v1.36.0 -> v1.41.0
go.opentelemetry.io/otel/trace v1.36.0 -> v1.41.0

@alaudabot

alaudabot commented May 10, 2026

Copy link
Copy Markdown

🤖 AI Code Review

Property Value
Model opencode/minimax-m2.5-free
Style strict
Issues Found 0
Config Source centralized
Profile ❌ Not Found
Personalized Prompt ❌ No
Prompt Path .github/review/profiles/alaudadevops/harbor-scanner-trivy/pr-review.md
Alauda Skills ✅ base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade
Reviewed at 2026-05-10 13:23:28 UTC

Summary

This PR updates go.opentelemetry.io/otel and related dependencies from v1.36.0 to v1.41.0 (along with github.com/stretchr/testify v1.10.0 → v1.11.1 and go.opentelemetry.io/auto/sdk v1.1.0 → v1.2.1). These are pure dependency bumps for a security fix with no code changes. The go.mod and go.sum are consistent.

Review Statistics

Category Count
Critical Issues 0
Warnings 0
Suggestions 0
Files Reviewed 2

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

None.

Warnings

Issues that SHOULD be addressed but are not blocking

None.

Suggestions

Recommendations for improvement (nice to have)

None.

Positive Feedback

  • Clean dependency update with consistent go.mod and go.sum entries
  • Opentelemetry v1.41.0 includes important security fixes; good catch
  • Proper indirect dependency resolution across otel, otel/metric, otel/trace, and auto/sdk
  • No code changes means minimal risk
ℹ️ About this review

This review was automatically generated using the run-actions workflow.

  • Shared prompt: .github/prompts/code-review.md
  • Config source: centralized
  • Profile path: Not Found
  • Profile ref: 4a9568cdd56fea5ff37c463d60c67e04c765f13f
  • No repository-specific prompt configured
  • Alauda skills: base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade

@alaudaa-renovate alaudaa-renovate Bot changed the title chore(deps): update module go.opentelemetry.io/otel to v1.41.0 [security] chore(deps): update module go.opentelemetry.io/otel to v1.41.0 [security] - abandoned Jun 3, 2026
@alaudaa-renovate

alaudaa-renovate Bot commented Jun 3, 2026

Copy link
Copy Markdown
Author

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@yuzichen12123 yuzichen12123

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alaudabot @yuzichen12123