CVE-2026-41173: CWE-770: Allocation of Resources Without Limits or Throttling in open-telemetry opentelemetry-dotnet-contrib
The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsync called HttpClient.SendAsync followed by ReadAsStringAsync(), which materializes the entire HTTP response body into a single in-memory string with no size limit. The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint (default: http://localhost:2000). An attacker who controls the configured endpoint, or who can intercept traffic to it (MitM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability is fixed in 0.1.0-alpha.8.
AI Analysis
Technical Summary
The vulnerability arises because the AWSXRaySamplerClient.DoRequestAsync method uses HttpClient.SendAsync followed by ReadAsStringAsync to read the entire HTTP response body into memory without size limits. If an attacker controls or can intercept the configured sampling endpoint (default http://localhost:2000), they can supply an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to performance degradation or process crashes. The issue affects versions of opentelemetry-dotnet-contrib prior to 0.1.0-alpha.8 and is fixed in that version.
Potential Impact
Exploitation can cause the affected application to consume excessive memory, resulting in high transient memory pressure, garbage collection stalls, or an OutOfMemoryException that terminates the process. There is no direct impact on confidentiality or integrity, but availability is affected due to potential process crashes or degraded performance.
Mitigation Recommendations
A fix is available in version 0.1.0-alpha.8 of opentelemetry-dotnet-contrib. Users should upgrade to this version or later to remediate the vulnerability. Since this is a cloud service component, the vendor manages remediation for the cloud-hosted service; users should verify with the vendor advisory for the latest status. Until patched, ensure that the configured AWS X-Ray remote sampling endpoint is trusted and protected from interception or manipulation.
CVE-2026-41173: CWE-770: Allocation of Resources Without Limits or Throttling in open-telemetry opentelemetry-dotnet-contrib
Description
The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsync called HttpClient.SendAsync followed by ReadAsStringAsync(), which materializes the entire HTTP response body into a single in-memory string with no size limit. The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint (default: http://localhost:2000). An attacker who controls the configured endpoint, or who can intercept traffic to it (MitM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability is fixed in 0.1.0-alpha.8.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because the AWSXRaySamplerClient.DoRequestAsync method uses HttpClient.SendAsync followed by ReadAsStringAsync to read the entire HTTP response body into memory without size limits. If an attacker controls or can intercept the configured sampling endpoint (default http://localhost:2000), they can supply an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to performance degradation or process crashes. The issue affects versions of opentelemetry-dotnet-contrib prior to 0.1.0-alpha.8 and is fixed in that version.
Potential Impact
Exploitation can cause the affected application to consume excessive memory, resulting in high transient memory pressure, garbage collection stalls, or an OutOfMemoryException that terminates the process. There is no direct impact on confidentiality or integrity, but availability is affected due to potential process crashes or degraded performance.
Mitigation Recommendations
A fix is available in version 0.1.0-alpha.8 of opentelemetry-dotnet-contrib. Users should upgrade to this version or later to remediate the vulnerability. Since this is a cloud service component, the vendor manages remediation for the cloud-hosted service; users should verify with the vendor advisory for the latest status. Until patched, ensure that the configured AWS X-Ray remote sampling endpoint is trusted and protected from interception or manipulation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T16:34:45.525Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69ea6a1b87115cfb68455bea
Added to database: 4/23/2026, 6:51:07 PM
Last enriched: 4/23/2026, 7:06:33 PM
Last updated: 4/23/2026, 9:05:03 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.