CVE-2026-59892 in opentelemetry-jsinfo

Summary

by MITRE • 07/08/2026

OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx-* HTTP header values with decodeURIComponent() without handling decode errors, allowing an unauthenticated remote attacker to send a malformed percent-encoded value that throws an uncaught URIError and terminates a Node.js process using JaegerPropagator as the active propagator. This issue is fixed in version 2.9.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability affects OpenTelemetry JavaScript client versions prior to 2.9.0, specifically within the @opentelemetry/propagator-jaeger package that handles Jaeger trace propagation. This flaw represents a critical security weakness that can lead to process termination and potential denial of service attacks against applications using this telemetry library. The vulnerability stems from improper error handling during HTTP header decoding operations, creating an exploitable condition where malicious actors can craft specially formatted headers to crash Node.js processes.

The technical implementation flaw occurs when the JaegerPropagator component processes incoming HTTP headers containing uber-trace-id and uberctx-* values. The propagator utilizes decodeURIComponent() function without implementing proper error handling mechanisms to catch URIError exceptions that occur when malformed percent-encoded values are encountered. This primitive decoding approach fails to validate the integrity of incoming header data, allowing attackers to inject malformed sequences that cause the JavaScript runtime to throw uncaught exceptions. When these exceptions propagate through the Node.js event loop without proper try-catch blocks, they result in process termination and application downtime.

The operational impact of this vulnerability extends beyond simple service disruption as it enables remote code execution through process termination attacks. An unauthenticated attacker can exploit this weakness by sending crafted HTTP requests with malformed header values that trigger URIError exceptions within the JaegerPropagator implementation. This creates a reliable vector for denial of service attacks against applications that rely on OpenTelemetry for distributed tracing, potentially affecting microservices architectures where trace propagation is critical for observability. The vulnerability particularly impacts systems where Node.js processes are not protected by process supervisors or automatic restart mechanisms.

Security mitigations for this vulnerability involve upgrading to OpenTelemetry JavaScript version 2.9.0 or later, which implements proper error handling for URI decoding operations. Organizations should also implement input validation at the application level to sanitize HTTP headers before they reach the telemetry library components, though this represents a secondary defense measure. Network-level protections such as API gateways or reverse proxies can be configured to filter malformed header values, but these solutions are less reliable than proper code-level fixes. The vulnerability aligns with CWE-20: Improper Input Validation and ATT&CK technique T1499.004: Endpoint Denial of Service, highlighting the need for robust error handling practices in distributed tracing implementations.

The fix implemented in version 2.9.0 demonstrates proper defensive programming by incorporating try-catch blocks around decodeURIComponent() calls to handle malformed URI sequences gracefully. This approach prevents uncaught exceptions from propagating through the application stack and ensures that telemetry processing failures do not result in complete service termination. Organizations should also consider implementing comprehensive monitoring for process restarts and unusual error patterns that might indicate exploitation attempts, as well as conducting regular security assessments of their telemetry infrastructure to identify similar vulnerabilities in other tracing components or third-party libraries.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!