Skip to content

fix(deps): update module go.opentelemetry.io/otel to v1.41.0 [security]#14

Merged
chengjingtao merged 1 commit into
alauda-v0.0.18from
renovate/go-go.opentelemetry.io-otel-vulnerability
May 20, 2026
Merged

fix(deps): update module go.opentelemetry.io/otel to v1.41.0 [security]#14
chengjingtao merged 1 commit into
alauda-v0.0.18from
renovate/go-go.opentelemetry.io-otel-vulnerability

Conversation

@alaudaa-renovate

@alaudaa-renovate alaudaa-renovate Bot commented Apr 25, 2026
edited
Loading

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
go.opentelemetry.io/otel v1.38.0 -> v1.41.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-29181

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links

vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage)
attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

  • canonical: per_req_alloc_bytes=10315458 and p95_ms=7
  • control: per_req_alloc_bytes=133429 and p95_ms=0

proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget.
actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip
PR_DESCRIPTION.md

OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

CVE-2026-29181 / GHSA-mh2q-q3fh-2475

More information

Details

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links
vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage)
attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

  • canonical: per_req_alloc_bytes=10315458 and p95_ms=7
  • control: per_req_alloc_bytes=133429 and p95_ms=0
proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget.
actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip
PR_DESCRIPTION.md

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)

v1.41.0: /v0.63.0/v0.17.0/v0.0.15

Compare Source

This release is the last to support Go 1.24. The next release will require at least Go 1.25.

Added
Fixed
  • Update Baggage in go.opentelemetry.io/otel/propagation and Parse and New in go.opentelemetry.io/otel/baggage to comply with W3C Baggage specification limits. New and Parse now return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. (#​7880)

What's Changed

New Contributors

Full Changelog: open-telemetry/opentelemetry-go@v1.40.0...v1.41.0

v1.40.0

Compare Source

Added
  • Add go.opentelemetry.io/otel/semconv/v1.40.0 package.
    The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#​7985)
  • Add Err and SetErr on Record in go.opentelemetry.io/otel/log to attach an error and set record exception attributes in go.opentelemetry.io/otel/log/sdk. (#​7924)
Changed
  • TracerProvider.ForceFlush in go.opentelemetry.io/otel/sdk/trace joins errors together and continues iteration through SpanProcessors as opposed to returning the first encountered error without attempting exports on subsequent SpanProcessors. (#​7856)
Fixed
  • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to correctly handle HTTP2 GOAWAY frame. (#​7931)
  • Fix semconv v1.39.0 generated metric helpers skipping required attributes when extra attributes were empty. (#​7964)
  • Preserve W3C TraceFlags bitmask (including the random Trace ID flag) during trace context extraction and injection in go.opentelemetry.io/otel/propagation. (#​7834)
Removed
  • Drop support for [Go 1.24]. (#​7984)

v1.39.0

Compare Source

Added
  • Add go.opentelemetry.io/otel/semconv/v1.40.0 package.
    The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#​7985)
  • Add Err and SetErr on Record in go.opentelemetry.io/otel/log to attach an error and set record exception attributes in go.opentelemetry.io/otel/log/sdk. (#​7924)
Changed
  • TracerProvider.ForceFlush in go.opentelemetry.io/otel/sdk/trace joins errors together and continues iteration through SpanProcessors as opposed to returning the first encountered error without attempting exports on subsequent SpanProcessors. (#​7856)
Fixed
  • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to correctly handle HTTP2 GOAWAY frame. (#​7931)
  • Fix semconv v1.39.0 generated metric helpers skipping required attributes when extra attributes were empty. (#​7964)
  • Preserve W3C TraceFlags bitmask (including the random Trace ID flag) during trace context extraction and injection in go.opentelemetry.io/otel/propagation. (#​7834)
Removed
  • Drop support for [Go 1.24]. (#​7984)

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@alaudaa-renovate

alaudaa-renovate Bot commented Apr 25, 2026

Copy link
Copy Markdown
Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: .dagger/go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: dagger/harbor-cli imports
	dagger/harbor-cli/internal/dagger: package dagger/harbor-cli/internal/dagger is not in std (/opt/containerbase/tools/golang/1.26.2/src/dagger/harbor-cli/internal/dagger)

alaudabot
alaudabot reviewed Apr 25, 2026
View reviewed changes
Comment thread .dagger/go.mod
github.com/Khan/genqlient v0.8.1
github.com/vektah/gqlparser/v2 v2.5.30
go.opentelemetry.io/otel v1.38.0
go.opentelemetry.io/otel v1.41.0

@alaudabot alaudabot Apr 25, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning (style/consistency): Other go.opentelemetry.io/otel packages (e.g., otlpmetricgrpc v1.38.0) remain at the old version. Consider updating them together or verifying compatibility to avoid subtle runtime issues from mixed versions.

@alaudabot

alaudabot commented Apr 25, 2026
edited
Loading

Copy link
Copy Markdown

🤖 AI Code Review

Property Value
Model opencode/minimax-m2.5-free
Style strict
Issues Found 0
Config Source centralized
Profile ❌ Not Found
Personalized Prompt ❌ No
Prompt Path .github/review/profiles/alaudadevops/harbor-cli/pr-review.md
Alauda Skills ✅ base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade
Reviewed at 2026-05-10 08:39:42 UTC

Summary

This PR updates go.opentelemetry.io/otel from v1.38.0 to v1.41.0 to fix CVE-2026-29181, a high-severity security vulnerability in the baggage header propagation that allows remote DoS amplification. The change is in .dagger/go.mod and is a straightforward dependency version bump.

Review Statistics

Category Count
Critical Issues 0
Warnings 1
Suggestions 0
Files Reviewed 1

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

None. This is a security fix that addresses CVE-2026-29181.

Warnings

Issues that SHOULD be addressed but are not blocking

  • :dagger/go.mod:11 Other go.opentelemetry.io/otel packages (e.g., otlpmetricgrpc v1.38.0, otlpmetrichttp v1.38.0) remain at the old version. Consider updating them together or verifying compatibility. This is a consistency concern but not blocking since the security fix is in the core package's propagation module.

Suggestions

Recommendations for improvement (nice to have)

None.

Positive Feedback

  • The PR correctly targets the security fix for CVE-2026-29181 in the OpenTelemetry core package
  • Using Renovate for automated dependency updates ensures timely security patches
  • The PR description includes detailed vulnerability information (CVSS score, attack vector, impact)
ℹ️ About this review

This review was automatically generated using the run-actions workflow.

  • Shared prompt: .github/prompts/code-review.md
  • Config source: centralized
  • Profile path: Not Found
  • Profile ref: 4a9568cdd56fea5ff37c463d60c67e04c765f13f
  • No repository-specific prompt configured
  • Alauda skills: base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade

@chengjingtao chengjingtao merged commit c86bb8f into alauda-v0.0.18 May 20, 2026
6 of 7 checks passed
@chengjingtao chengjingtao deleted the renovate/go-go.opentelemetry.io-otel-vulnerability branch May 20, 2026 09:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alaudabot alaudabot alaudabot left review comments

Assignees

@chengjingtao chengjingtao

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alaudabot @chengjingtao