Skip to content

Commit 6050337

Browse files
1 parent 0b83063 commit 6050337

1 file changed

Lines changed: 83 additions & 0 deletions

File tree

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-995v-fvrw-c78m",
4+
"modified": "2026-05-28T17:19:10Z",
5+
"published": "2026-05-28T17:19:10Z",
6+
"aliases": [
7+
"CVE-2026-45287"
8+
],
9+
"summary": "opentelemetry-go's Schema ParseFile leaks file descriptors on each parse",
10+
"details": "### Summary\n\n`go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. The severity is low because exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path.\n\nIntroduced in commit: e72a235\n\n### Details\n\nIn `schema/v1.0/parser.go:41-47`, `ParseFile` opens the requested schema path with `os.Open` and then returns `Parse(file)` without a `defer file.Close()` or other close path:\n\n```go\nfile, err := os.Open(schemaFilePath)\nif err != nil {\n\treturn nil, err\n}\nreturn Parse(file)\n```\n\nThe validation evidence also identifies `schema/v1.0/parser.go:50-73`: `Parse` accepts an `io.Reader`, decodes from it, and does not close it. Ownership of the opened file is therefore not transferred to `Parse`, leaving the descriptor open until the Go runtime eventually finalizes the file object. With repeated `ParseFile` calls, descriptors can accumulate until the process receives `EMFILE` / \"too many open files\".\n\n### PoC\n\n[validation-artifact.zip](https://github.com/user-attachments/files/27494463/validation-artifact.zip)\n\nThe local artifact `validation-artifact.zip` contains:\n\n- `leak_poc.go`: PoC source that repeatedly calls `schema.ParseFile(\"schema/v1.0/testdata/valid-example.yaml\")` and prints `/proc/self/fd` counts.\n- `LEAK_POC_README.txt`: reproduction notes.\n- `leak_poc_run.log`: captured attempted run; the local offline environment failed before execution because Go module download from `proxy.golang.org` was forbidden.\n\nReproduce from the root of a checkout of `pellared/opentelemetry-go` at commit `e72a235` with Go module dependencies already available:\n\n```sh\n/bin/sh -c 'ulimit -n 256; GOGC=off go run leak_poc.go'\n```\n\nConfiguration:\n\n- File descriptor soft limit: `256`\n- Garbage collection: disabled with `GOGC=off` so leaked descriptors are not reclaimed during the loop\n- Schema file: `schema/v1.0/testdata/valid-example.yaml`\n\nExpected output is increasing descriptor counts followed by an `EMFILE` failure, for example:\n\n```text\niter 0 fds 7\niter 50 fds 57\niter 100 fds 107\n...\npanic: iteration 248: open schema/v1.0/testdata/valid-example.yaml: too many open files\n```\n\nThe exact initial descriptor count and failing iteration can vary by OS and process state.\n\n### Impact\n\nThis is a file descriptor resource leak leading to availability loss. Applications that call `schema.ParseFile` repeatedly, especially through a runtime reload or request-controlled path, can exhaust their process file descriptor table and fail subsequent file, socket, or other descriptor operations. Impact is limited to denial of service of the consuming process; the evidence does not show confidentiality or integrity impact.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "go.opentelemetry.io/otel/schema/v1.1"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.0.17"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 0.0.16"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "Go",
43+
"name": "go.opentelemetry.io/otel/schema/v1.0"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0"
51+
},
52+
{
53+
"fixed": "0.0.17"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 0.0.16"
60+
}
61+
}
62+
],
63+
"references": [
64+
{
65+
"type": "WEB",
66+
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m"
67+
},
68+
{
69+
"type": "PACKAGE",
70+
"url": "https://github.com/open-telemetry/opentelemetry-go"
71+
}
72+
],
73+
"database_specific": {
74+
"cwe_ids": [
75+
"CWE-772",
76+
"CWE-775"
77+
],
78+
"severity": "LOW",
79+
"github_reviewed": true,
80+
"github_reviewed_at": "2026-05-28T17:19:10Z",
81+
"nvd_published_at": null
82+
}
83+
}

0 commit comments

Comments
 (0)