CVE-2026-44902

Summary

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. This vulnerability is fixed in 0.217.0.

Affected Software

VendorProductVersion RangeStatus
open-telemetryopentelemetry-js< 0.217.0affected
@opentelemetryexporter-prometheus< 0.217.0affected
@opentelemetrysdk-node< 0.217.0affected
@opentelemetryauto-instrumentations-node< 0.75.0affected

Weaknesses

  • CWE-755: CWE-755: Improper Handling of Exceptional Conditions

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References