The vulnerability in open-telemetry's opentelemetry-dotnet-contrib (<=1.15.0-beta.1) involves the AzureVmMetaDataRequestor class making HTTP requests to the Azure VM instance metadata service and reading the entire response body into memory without imposing size limits. This allows an attacker who can control or intercept the endpoint to return an arbitrarily large response, causing unbounded heap allocation in the process. The resulting memory pressure can lead to garbage collection stalls or an OutOfMemoryException that terminates the process. The issue is addressed in version 1.15.1-beta.1 by streaming responses and ignoring responses larger than 4 MiB. Mitigations include disabling the Azure VM resource detector or applying network-level protections such as firewall rules, mTLS, or service mesh to prevent man-in-the-middle attacks on the metadata endpoint. The vendor manages remediation for this cloud service.

An attacker able to control or intercept the Azure VM instance metadata endpoint can cause the vulnerable process to allocate unbounded memory, potentially leading to high transient memory pressure, garbage collection delays, or process termination via OutOfMemoryException. This results in denial of service of the affected application or service using the vulnerable library. There is no impact on confidentiality or integrity reported.

A fix is available in open-telemetry opentelemetry-dotnet-contrib version 1.15.1-beta.1, which streams metadata responses and ignores those larger than 4 MiB. Since this is a cloud-hosted service component, the vendor manages remediation for the service. Until upgrading, users should disable the Azure VM resource detector or implement network-level controls such as firewall rules, mutual TLS, or service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint.