CVE-2026-44902
BaseFortify
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opentelemetry | opentelemetry-js | to 0.217.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-755 | The product does not handle or incorrectly handles an exceptional condition. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the OpenTelemetry JavaScript Client (opentelemetry-js) prior to version 0.217.0. Specifically, the Prometheus exporter in Node.js processes crashes when it receives a single malformed HTTP request. This happens because the metrics endpoint, which listens by default on 0.0.0.0:9464, lacks error handling for URL parsing. When an invalid URI is requested, it triggers an uncaught TypeError that causes the Node.js process to terminate unexpectedly.
How can this vulnerability impact me? :
This vulnerability can cause denial of service by crashing any Node.js process running the OpenTelemetry JS Prometheus exporter when it receives a malformed HTTP request. This means that an attacker could disrupt the availability of your application or service by sending a specially crafted request, leading to unexpected termination of the process and potential downtime.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the opentelemetry-js package to version 0.217.0 or later, where the issue is fixed.
Avoid exposing the metrics endpoint (default 0.0.0.0:9464) to untrusted networks to reduce the risk of receiving malformed HTTP requests that could crash the Node.js process.