CVE-2026-42348: OpAMP client reads unbounded HTTP response bodies
When receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed.
This could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response.
References
- github.com/advisories/GHSA-w2jh-77fq-7gp8
- github.com/open-telemetry/opentelemetry-dotnet-contrib
- github.com/open-telemetry/opentelemetry-dotnet-contrib/commit/bf1fad4fa298ff451cda0efb0ee9c7a7eb46212a
- github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4116
- github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-w2jh-77fq-7gp8
- nvd.nist.gov/vuln/detail/CVE-2026-42348
Code Behaviors & Features
Detect and mitigate CVE-2026-42348 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →