Nixpkgs security tracker
Permalink
CVE-2026-44902
7.5 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
opentelemetry-js: Prometheus exporter process crash via malformed HTTP request
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. This vulnerability is fixed in 0.217.0.
References
Affected products
sdk-node
- ==< 0.217.0
opentelemetry-js
- ==< 0.217.0
exporter-prometheus
- ==< 0.217.0
auto-instrumentations-node
- ==< 0.75.0
Matching in nixpkgs
pkgs.python312Packages.opentelemetry-exporter-prometheus
Prometheus Metric Exporter for OpenTelemetry
pkgs.python313Packages.opentelemetry-exporter-prometheus
Prometheus Metric Exporter for OpenTelemetry
pkgs.python314Packages.opentelemetry-exporter-prometheus
Prometheus Metric Exporter for OpenTelemetry
Package maintainers
-
@natsukium Tomoya Otabi <nixpkgs@natsukium.com>
-
@invokes-su Souvik Sen <nixpkgs-commits@deshaw.com>
-
@despsyched Priyanshu Tripathi <priyanshu.tripathi@deshaw.com>
-
@de11n Elliot Cameron <nixpkgs-commits@deshaw.com>