CVE-2023-25151 – DoS vulnerability for high cardinality metrics in opentelemetry-go-contrib

https://notcve.org/view.php?id=CVE-2023-25151

08 Feb 2023 — opentelemetry-go-contrib is a collection of extensions for OpenTelemetry-Go. The v0.38.0 release of `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` uses the `httpconv.ServerRequest` function to annotate metric measurements for the `http.server.request_content_length`, `http.server.response_content_length`, and `http.server.duration` instruments. The `ServerRequest` function sets the `http.target` attribute value to be the whole request URI (including the query string)[^1]. The metric instrum... • https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh • CWE-400: Uncontrolled Resource Consumption •