CVE-2023-45142
Memory Exhaustion vulnerability in otelrestful (Go)

Memory Exhaustion No known exploit

What is CVE-2023-45142 About?

This vulnerability is a memory exhaustion issue in the OpenTelemetry Go HTTP instrumentation. It occurs due to unbound cardinality in metric labels for `http.user_agent` and `http.method`, allowing an attacker to cause a denial of service. Exploitation is relatively easy as it only requires sending malicious HTTP requests.

Affected Software

  • go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful
    • <0.44.0
  • go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin
    • <0.44.0
  • go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux
    • <0.44.0
  • go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho
    • <0.44.0
  • go.opentelemetry.io/contrib/instrumentation/gopkg.in/macaron.v1/otelmacaron
    • <0.44.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
    • <0.44.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
    • <0.44.0

Technical Details

The vulnerability lies within the otelhttp.NewHandler wrapper in the OpenTelemetry Go HTTP instrumentation when a metrics pipeline is configured. The handler adds HTTP metric labels, specifically http.user_agent and http.method, which have unbound cardinality. An attacker can send a high volume of requests with randomly generated, long and unique values for the User-Agent header or HTTP method. The library internally uses httpconv.ServerRequest to record every unique value for these attributes, leading to a continuous increase in memory consumption for storing these unique label values. This uncontrolled growth ultimately results in server memory exhaustion.

What is the Impact of CVE-2023-45142?

Successful exploitation may allow attackers to cause a denial of service by exhausting server memory resources, making the affected service unavailable to legitimate users.

What is the Exploitability of CVE-2023-45142?

Exploitation is straightforward and requires no prior authentication or elevated privileges. An attacker only needs remote access to the vulnerable application's HTTP endpoint. The complexity is low, as it primarily involves sending numerous HTTP requests with crafted User-Agent headers and/or custom HTTP methods. The likelihood of exploitation is increased if the application directly exposes the otelhttp.NewHandler without any upstream filtering or rate limiting mechanisms in place (e.g., CDN, load balancer, or other middleware).

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2023-45142?

Available Upgrade Options

  • go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho
    • <0.44.0 → Upgrade to 0.44.0
  • go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux
    • <0.44.0 → Upgrade to 0.44.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
    • <0.44.0 → Upgrade to 0.44.0
  • go.opentelemetry.io/contrib/instrumentation/gopkg.in/macaron.v1/otelmacaron
    • <0.44.0 → Upgrade to 0.44.0
  • go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful
    • <0.44.0 → Upgrade to 0.44.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
    • <0.44.0 → Upgrade to 0.44.0
  • go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin
    • <0.44.0 → Upgrade to 0.44.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-45142?

Similar Vulnerabilities: CVE-2022-26166 , CVE-2021-39144 , CVE-2021-42340 , CVE-2020-28198 , CVE-2020-0062

All Rights reserved 2025
Privacy Policy