fix(deps): Update module go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to v0.19.0 [SECURITY]

[cloudquery-ci]

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	v0.18.0 → v0.19.0

GitHub Vulnerability Alerts

CVE-2026-39882

overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.

this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).

severity

HIGH

not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.

callsite (pinned):

• exporters/otlp/otlptrace/otlptracehttp/client.go:199
• exporters/otlp/otlptrace/otlptracehttp/client.go:230
• exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170
• exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201
• exporters/otlp/otlplog/otlploghttp/client.go:190
• exporters/otlp/otlplog/otlploghttp/client.go:221

permalinks (pinned):

• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190
• https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221

root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.

impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).

affected component:

• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
• go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp

repro (local-only):

unzip poc.zip -d poc
cd poc
make canonical resp_bytes=33554432 chunk_delay_ms=0

expected output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512

control (same env, patched target):

unzip poc.zip -d poc
cd poc
make control resp_bytes=33554432 chunk_delay_ms=0

expected control output contains:

[CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body)
[NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232

attachments: poc.zip (attached)

PR_DESCRIPTION.md

attack_scenario.md

poc.zip

Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp)

v0.19.0

Compare Source

Added

• Added Marshaler config option to otlphttp to enable otlp over json or protobufs. (#​1586)
• A ForceFlush method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider to flush all registered SpanProcessors. (#​1608)
• Added WithSampler and WithSpanLimits to tracer provider. (#​1633, #​1702)
• "go.opentelemetry.io/otel/trace".SpanContext now has a remote property, and IsRemote() predicate, that is true when the SpanContext has been extracted from remote context data. (#​1701)
• A Valid method to the "go.opentelemetry.io/otel/attribute".KeyValue type. (#​1703)

Changed

• trace.SpanContext is now immutable and has no exported fields. (#​1573)
  • trace.NewSpanContext() can be used in conjunction with the trace.SpanContextConfig struct to initialize a new SpanContext where all values are known.
• Update the ForceFlush method signature to the "go.opentelemetry.io/otel/sdk/trace".SpanProcessor to accept a context.Context and return an error. (#​1608)
• Update the Shutdown method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider return an error on shutdown failure. (#​1608)
• The SimpleSpanProcessor will now shut down the enclosed SpanExporter and gracefully ignore subsequent calls to OnEnd after Shutdown is called. (#​1612)
• "go.opentelemetry.io/sdk/metric/controller.basic".WithPusher is replaced with WithExporter to provide consistent naming across project. (#​1656)
• Added non-empty string check for trace Attribute keys. (#​1659)
• Add description to SpanStatus only when StatusCode is set to error. (#​1662)
• Jaeger exporter falls back to resource.Default's service.name if the exported Span does not have one. (#​1673)
• Jaeger exporter populates Jaeger's Span Process from Resource. (#​1673)
• Renamed the LabelSet method of "go.opentelemetry.io/otel/sdk/resource".Resource to Set. (#​1692)
• Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/jaeger package. (#​1693)
• Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/zipkin package. (#​1693)
• "go.opentelemetry.io/otel/sdk/resource".NewWithAttributes will now drop any invalid attributes passed. (#​1703)
• "go.opentelemetry.io/otel/sdk/resource".StringDetector will now error if the produced attribute is invalid. (#​1703)

Removed

• Removed serviceName parameter from Zipkin exporter and uses resource instead. (#​1549)
• Removed WithConfig from tracer provider to avoid overriding configuration. (#​1633)
• Removed the exported SimpleSpanProcessor and BatchSpanProcessor structs.
  These are now returned as a SpanProcessor interface from their respective constructors. (#​1638)
• Removed WithRecord() from trace.SpanOption when creating a span. (#​1660)
• Removed setting status to Error while recording an error as a span event in RecordError. (#​1663)
• Removed jaeger.WithProcess configuration option. (#​1673)
• Removed ApplyConfig method from "go.opentelemetry.io/otel/sdk/trace".TracerProvider and the now unneeded Config struct. (#​1693)

Fixed

• Jaeger Exporter: Ensure mapping between OTEL and Jaeger span data complies with the specification. (#​1626)
• SamplingResult.TraceState is correctly propagated to a newly created span's SpanContext. (#​1655)
• The otel-collector example now correctly flushes metric events prior to shutting down the exporter. (#​1678)
• Do not set span status message in SpanStatusFromHTTPStatusCode if it can be inferred from http.status_code. (#​1681)
• Synchronization issues in global trace delegate implementation. (#​1686)
• Reduced excess memory usage by global TracerProvider. (#​1687)

---

Raw changes made between v0.18.0 and v0.19.0

2b4fa96 (HEAD -> main, tag: v0.19.0, tag: trace/v0.19.0, tag: sdk/v0.19.0, tag: sdk/metric/v0.19.0, tag: sdk/export/metric/v0.19.0, tag: oteltest/v0.19.0, tag: metric/v0.19.0, tag: exporters/trace/zipkin/v0.19.0, tag: exporters/trace/jaeger/v0.19.0, tag: exporters/stdout/v0.19.0, tag: exporters/otlp/v0.19.0, tag: exporters/metric/prometheus/v0.19.0, tag: example/zipkin/v0.19.0, tag: example/prometheus/v0.19.0, tag: example/prom-collector/v0.19.0, tag: example/otel-collector/v0.19.0, tag: example/opencensus/v0.19.0, tag: example/namedtracer/v0.19.0, tag: example/jaeger/v0.19.0, tag: bridge/opentracing/v0.19.0, tag: bridge/opencensus/v0.19.0, upstream/main, origin/main) Release v0.19.0 (#​1710)
4beb704 sdk/trace: removing ApplyConfig and Config (#​1693)
1d42be1 Rename WithDefaultSampler TracerProvider option to WithSampler and update docs (#​1702)
860d5d8 Add flag to determine whether SpanContext is remote (#​1701)
0fe65e6 Comply with OpenTelemetry attributes specification (#​1703)
8888435 Bump google.golang.org/api from 0.40.0 to 0.41.0 in /exporters/trace/jaeger (#​1700)
345f264 (global-docs) breaking(zipkin): removes servicName from zipkin exporter. (#​1697)
62cbf0f Populate Jaeger's Span.Process from Resource (#​1673)
28eaaa9 Add a test to prove the Tracer is safe for concurrent calls (#​1665)
8b1be11 Rename resource pkg label vars and methods (#​1692)
a1539d4 OpenCensus metric exporter bridge (#​1444)
77aa218 Fix issue #​1490, apply same logic as in the SDK (#​1687)
9d3416c Fix synchronization issues in global trace delegate implementation (#​1686)
58f69f0 Span status from HTTP code: Do not set status message if it can be inferred (#​1681)
9c305bd Flush metric events prior to shutdown in OTLP example (#​1678)
66b1135 Fix CHANGELOG (#​1680)
90bd4ab Update employer information for maintainers (#​1683)
3684191 Remove WithRecord() option from trace.SpanOption when starting a span (#​1660)
65c7de2 Remove trace prefix from NoOp src files. (#​1679)
e88a091 Make SpanContext Immutable (#​1573)
d75e268 Avoid overriding configuration of tracer provider (#​1633)
2b4d5ac Bump github.com/golangci/golangci-lint in /internal/tools (#​1671)
150b868 Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (#​1667)
76aa924 Fix the examples target info messaging (#​1676)
a3aa9fd Bump github.com/itchyny/gojq from 0.12.1 to 0.12.2 in /internal/tools (#​1672)
a5edd79 Removed setting error status while recording err as span event (#​1663)
e981475 chore(zipkin): improves zipkin example to not to depend on timeouts. (#​1566)
3dc91f2 Add ForceFlush method to TracerProvider (#​1608)
bd0bba4 exporter: swap pusher for exporter (#​1656)
5690485 Update the SimpleSpanProcessor (#​1612)
a7f7aba SpanStatus description set only when status code is set to Error (#​1662)
05252f4 Jaeger Exporter: Fix minor mapping discrepancies (#​1626)
238e7c6 Add non-empty string check for attribute keys (#​1659)
e9b9aca Add tests for propagation of Sampler Tracestate changes (#​1655)
875a258 Add docs on when reviews should be cleared (#​1556)
7153ef2 Add HTTP/JSON to the otlp exporter (#​1586)
62e2a0f Unexport the simple and batch SpanProcessors (#​1638)
992837f Add TracerProvider tests to oteltest harness (#​1607)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[cloudquery-ci]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 11 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/otel	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/log	v0.18.0 -> v0.19.0
go.opentelemetry.io/otel/metric	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/sdk	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/log	v0.18.0 -> v0.19.0
go.opentelemetry.io/otel/sdk/metric	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.42.0 -> v1.43.0
google.golang.org/grpc	v1.79.3 -> v1.80.0
go.opentelemetry.io/proto/otlp	v1.9.0 -> v1.10.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260209200024-4cfbd4190f57 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260319201613-d00831a3d3e7 -> v0.0.0-20260401024825-9d38bb4040a9