CVE-2023-47108 in opentelemetry-go-contrib
Summary
by MITRE • 11/10/2023
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/28/2025
The vulnerability described in CVE-2023-47108 affects the OpenTelemetry-Go Contrib library, specifically within its gRPC Unary Server Interceptor implementation. This issue represents a classic case of unbounded cardinality in telemetry data collection that can lead to resource exhaustion. The problem manifests when the interceptor automatically adds labels `net.peer.sock.addr` and `net.peer.sock.port` to telemetry data without proper cardinality controls. These attributes are designed to capture network peer information but lack any mechanism to limit the number of unique values that can be recorded, creating a potential denial of service vector.
The technical flaw stems from the interceptor's default behavior of collecting peer socket address and port information as part of the gRPC server metrics instrumentation. When malicious actors send numerous requests with different peer addresses and ports, each unique combination generates a new telemetry metric entry. This creates an unbounded growth in the telemetry data set, where each distinct peer address and port combination becomes a separate metric dimension. The vulnerability is particularly concerning because it operates at the instrumentation layer, meaning that any application using the affected version of OpenTelemetry-Go Contrib automatically becomes susceptible to this memory exhaustion attack without requiring any special configuration or setup.
From an operational impact perspective, this vulnerability can lead to significant system degradation and potential service disruption. The memory exhaustion occurs because the telemetry system continuously accumulates new metric entries for each unique peer combination, eventually consuming all available memory resources. This type of attack aligns with attack patterns described in the ATT&CK framework under the T1499.004 technique for Network Denial of Service, where adversaries leverage application-level vulnerabilities to exhaust system resources. The vulnerability affects systems that rely on gRPC server instrumentation and can impact any application that uses OpenTelemetry-Go Contrib versions between 0.37.0 and 0.45.0, making it particularly widespread in microservices architectures that depend on gRPC communication patterns.
The remediation strategy for CVE-2023-47108 involves multiple approaches that align with industry best practices for managing telemetry data cardinality. The most direct solution is upgrading to version 0.46.0 or later, which includes the necessary fixes to control attribute cardinality. Organizations can also implement workarounds such as creating views that remove the problematic attributes from the telemetry data, effectively preventing the unbounded growth. Alternative approaches include disabling gRPC metrics instrumentation entirely by using the `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`, which completely removes the telemetry collection for gRPC operations. This vulnerability is categorized under CWE-1242 which specifically addresses issues related to unbounded resource consumption through telemetry data collection. Organizations should implement monitoring for telemetry data cardinality and establish resource limits for telemetry processing to prevent similar issues in other components of their distributed systems. The fix demonstrates proper defensive programming practices by implementing cardinality limits and preventing the accumulation of unlimited metric dimensions, which is essential for maintaining system stability in high-throughput environments.