CVE-2026-44902
Awaiting Analysis Awaiting Analysis - Queue
Denial of Service in OpenTelemetry JavaScript Prometheus Exporter

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. This vulnerability is fixed in 0.217.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44902
EUVD
EUVD-2026-32538
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry opentelemetry-js to 0.217.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-755 The product does not handle or incorrectly handles an exceptional condition.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking if any Node.js process running the OpenTelemetry JS Prometheus exporter is crashing upon receiving malformed HTTP requests on the metrics endpoint (default port 9464).

To detect if your system is vulnerable, you can attempt to send a malformed HTTP request to the metrics endpoint and observe if the Node.js process crashes.

  • Use curl or similar tools to send an invalid URI request to the metrics endpoint, for example: curl "http://<host>:9464/http://"
  • Monitor your Node.js process logs or system logs for unexpected crashes or termination related to the OpenTelemetry Prometheus exporter.
  • Check the version of the OpenTelemetry packages in use; versions prior to 0.217.0 for @opentelemetry/exporter-prometheus and @opentelemetry/sdk-node, or prior to 0.75.0 for @opentelemetry/auto-instrumentations-node, are vulnerable.
Executive Summary

The vulnerability exists in the OpenTelemetry JavaScript Client (opentelemetry-js) prior to version 0.217.0. Specifically, the Prometheus exporter in Node.js processes crashes when it receives a single malformed HTTP request. This happens because the metrics endpoint, which listens by default on 0.0.0.0:9464, lacks error handling for URL parsing. When an invalid URI is requested, it triggers an uncaught TypeError that causes the Node.js process to terminate unexpectedly.

Impact Analysis

This vulnerability can cause denial of service by crashing any Node.js process running the OpenTelemetry JS Prometheus exporter when it receives a malformed HTTP request. This means that an attacker could disrupt the availability of your application or service by sending a specially crafted request, leading to unexpected termination of the process and potential downtime.

Mitigation Strategies

To mitigate this vulnerability, upgrade the opentelemetry-js package to version 0.217.0 or later, where the issue is fixed.

Avoid exposing the metrics endpoint (default 0.0.0.0:9464) to untrusted networks to reduce the risk of receiving malformed HTTP requests that could crash the Node.js process.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44902. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart