EXECUTIVE SUMMARY:
CVE-2026-44902 with a CVSS score of 7.5 is a vulnerability in the OpenTelemetry JS Prometheus exporter, specifically in the Node.js process running the exporter. The affected software includes npm/@opentelemetry/exporter-prometheus with versions prior to 0.217.0, npm/@opentelemetry/sdk-node with versions prior to 0.217.0, and npm/@opentelemetry/auto-instrumentations-node with versions prior to 0.75.0. The vulnerability arises from a lack of error handling around URL parsing in the metrics endpoint, which causes an uncaught TypeError that terminates the process when a malformed HTTP request is received. An attacker can exploit this vulnerability by sending a single unauthenticated network packet to the metrics port, resulting in a denial of service (DoS) capability. The business impact of this vulnerability is significant, as an attacker can crash any application using the OpenTelemetry Prometheus exporter's built-in server, requiring no authentication, special privileges, or prior access. Prerequisites for exploitation include the ability to reach the metrics endpoint, which may be restricted by firewalls, network policies, or reverse proxies, but updating to the fixed version is the recommended resolution.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44902 with a CVSS score of 7.5 is a vulnerability in the OpenTelemetry JS Prometheus exporter, specifically in the Node.js process running the exporter. The affected software includes npm/@opentelemetry/exporter-prometheus with versions prior to 0.217.0, npm/@opentelemetry/sdk-node with versions prior to 0.217.0, and npm/@opentelemetry/auto-instrumentations-node with versions prior to 0.75.0. The vulnerability arises from a lack of error handling around URL parsing in the metrics endpoint, which causes an uncaught TypeError that terminates the process when a malformed HTTP request is received. An attacker can exploit this vulnerability by sending a single unauthenticated network packet to the metrics port, resulting in a denial of service (DoS) capability. The business impact of this vulnerability is significant, as an attacker can crash any application using the OpenTelemetry Prometheus exporter's built-in server, requiring no authentication, special privileges, or prior access. Prerequisites for exploitation include the ability to reach the metrics endpoint, which may be restricted by firewalls, network policies, or reverse proxies, but updating to the fixed version is the recommended resolution.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-q7rr-3cgh-j5r3