{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41173", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T16:34:45.525Z", "datePublished": "2026-04-23T18:22:31.771Z", "dateUpdated": "2026-04-23T19:16:04.096Z"}, "containers": {"cna": {"title": "Unbounded HTTP response body read in OpenTelemetry.Sampler.AWS", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-28xm-prxc-5866", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-28xm-prxc-5866"}, {"name": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4100", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4100"}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-dotnet-contrib", "versions": [{"version": "< 0.1.0-alpha.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T18:22:31.771Z"}, "descriptions": [{"lang": "en", "value": "The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsync called HttpClient.SendAsync followed by ReadAsStringAsync(), which materializes the entire HTTP response body into a single in-memory string with no size limit. The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint (default: http://localhost:2000). An attacker who controls the configured endpoint, or who can intercept traffic to it (MitM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability is fixed in 0.1.0-alpha.8."}], "source": {"advisory": "GHSA-28xm-prxc-5866", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T19:11:43.914906Z", "id": "CVE-2026-41173", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T19:16:04.096Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41173", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T19:11:43.914906Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T19:15:20.291Z"}}], "cna": {"title": "Unbounded HTTP response body read in OpenTelemetry.Sampler.AWS", "source": {"advisory": "GHSA-28xm-prxc-5866", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-dotnet-contrib", "versions": [{"status": "affected", "version": "< 0.1.0-alpha.8"}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-28xm-prxc-5866", "name": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-28xm-prxc-5866", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4100", "name": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4100", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsync called HttpClient.SendAsync followed by ReadAsStringAsync(), which materializes the entire HTTP response body into a single in-memory string with no size limit. The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint (default: http://localhost:2000). An attacker who controls the configured endpoint, or who can intercept traffic to it (MitM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability is fixed in 0.1.0-alpha.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T18:22:31.771Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41173", "state": "PUBLISHED", "dateUpdated": "2026-04-23T19:16:04.096Z", "dateReserved": "2026-04-17T16:34:45.525Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T18:22:31.771Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsync called HttpClient.SendAsync followed by ReadAsStringAsync(), which materializes the entire HTTP response body into a single in-memory string with no size limit. The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint (default: http://localhost:2000). An attacker who controls the configured endpoint, or who can intercept traffic to it (MitM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability is fixed in 0.1.0-alpha.8."}], "id": "CVE-2026-41173", "lastModified": "2026-04-24T14:50:56.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T19:17:29.083", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4100"}, {"source": "security-advisories@github.com", "url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-28xm-prxc-5866"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.0-alpha.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "opentelemetry-dotnet-contrib", "vendor": "opentelemetry"}], "analysis": {"en": {"generated_at": "2026-04-28T20:29:48.373555+00:00", "value": {"mitigation_remediation": ["Update OpenTelemetry.Sampler.AWS to version 0.1.0\u2011alpha.8 or later, where the response body size is bounded or streaming.", "Limit the configured remote sampling endpoint to a trusted host or IP address to prevent malicious responses.", "If remote sampling is not required, disable the AWS X\u2011Ray remote sampler or remove the dependency altogether."], "summary": {"action": "Patch", "impact": "Denial of Service via memory exhaustion"}, "threat_synthesis": {"affected_systems": "The issue affects the OpenTelemetry .NET Contrib library, specifically the AWS X\u2011Ray Remote Sampler component in versions prior to 0.1.0\u2011alpha.8. Any process using this supplier and connecting to a remote sampling endpoint can be impacted.", "description_and_impact": "A flaw in OpenTelemetry.Sampler.AWS allows an attacker that can control or intercept the configured AWS X\u2011Ray remote sampling endpoint to return an arbitrarily large HTTP response body. The sampler reads the entire response into memory with no size limit, causing unbounded heap allocation, high memory pressure, garbage\u2011collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability can be exploited locally or remotely if the attacker can influence the endpoint the application uses.", "risk_and_exploitability": "The CVSS score of 5.9 indicates a moderate severity. The EPSS score of less than 1% shows that exploit probability is low at present and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector requires an attacker to control the endpoint or perform a man\u2011in\u2011the\u2011middle to supply a large response; this is feasible if the endpoint is not properly secured or restricted."}}}}, "created": "2026-04-28T09:25:48.686489+00:00", "updated": "2026-04-28T20:30:06.197555+00:00", "vendors": ["opentelemetry", "opentelemetry$PRODUCT$opentelemetry-dotnet-contrib"]}