CVE-2023-43810
CVE-2023-43810 is a high-severity vulnerability in Opentelemetry with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-400.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 1% (48th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-400
- Affected product: Opentelemetry
- Published:
- Last modified:
Description
OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label `http_method` that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. This issue has been patched in version 0.41b0.
Frequently asked questions
- What is CVE-2023-43810?
- OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label `http_method` that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. This issue has been patched in version 0.41b0.
- How severe is CVE-2023-43810?
- CVE-2023-43810 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2023-43810 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (48th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-43810?
- CVE-2023-43810 affects Opentelemetry. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-43810?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2023-43810 published?
- CVE-2023-43810 was published on 2023-10-06 and last updated on 2026-06-17.
References
- https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e
- https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0
- https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v
Affected products (1)
- cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:*:*:*
More vulnerabilities in Opentelemetry
- CVE-2026-29181 — High (CVSS 7.5): OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header…
- CVE-2023-47108 — High (CVSS 7.5): OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and…
- CVE-2023-45142 — High (CVSS 7.5): OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box…
- CVE-2026-39883 — High (CVSS 7.0): OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed…
- CVE-2026-24051 — High (CVSS 7.0): OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is…
- CVE-2026-41078 — Medium (CVSS 5.9): OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may…
All CVEs affecting Opentelemetry →
Other CWE-400 (Uncontrolled Resource Consumption) vulnerabilities
- CVE-2026-46775 — Critical (CVSS 9.9): Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0.…
- CVE-2025-61303 — Critical (CVSS 9.8): Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a…
- CVE-2025-43193 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7,…
- CVE-2025-24269 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4. An app may be able to…
- CVE-2025-24264 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4,…
- CVE-2025-24260 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5,…
Browse all CWE-400 (Uncontrolled Resource Consumption) vulnerabilities →