Denial of Service Vulnerability in OpenTelemetry JavaScript Client
CVE-2026-44902

7.5HIGH

Key Information:

Vendor: Open-telemetry
Status: Opentelemetry-js; Exporter-prometheus; Sdk-node; Auto-instrumentations-node
Vendor: CVE Published:; 27 May 2026

🔔 Create Open-telemetry Vulnerability Alert

What is CVE-2026-44902?

The OpenTelemetry JavaScript Client has a vulnerability that allows a single malformed HTTP request to crash any Node.js process utilizing the Prometheus exporter. The issue stems from a lack of error handling in the metrics endpoint at the default address 0.0.0.0:9464, where an invalid URI leads to an uncaught TypeError that halts the process entirely. This flaw has been addressed in version 0.217.0.

Affected Version(s)

auto-instrumentations-node < 0.75.0

exporter-prometheus < 0.217.0

opentelemetry-js < 0.217.0

References

https://github.com/open-telemetry/opentelemetry-js/securi...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44902 Data

JSON