OpenTelemetry JavaScript Client Vulnerability in Jaeger Propagator
CVE-2026-59892
7.5HIGH
What is CVE-2026-59892?
The OpenTelemetry JavaScript client, specifically the @opentelemetry/propagator-jaeger, is vulnerable to a flaw where it decodes incoming HTTP headers (uber-trace-id and uberctx-*) using decodeURIComponent() without proper error handling. This oversight allows an unauthenticated remote attacker to exploit the system by sending a malformed percent-encoded value. The result can cause an uncaught URIError that disrupts the Node.js process tied to the JaegerPropagator. Users are encouraged to upgrade to version 2.9.0 or later to mitigate this risk.
Affected Version(s)
opentelemetry-js < 2.9.0
