CVE-2023-47108

HIGH

OpenTelemetry-Go Contrib 0.37.0-0.45.0 - Unbounded Resource Allocation via gRPC Unary Server Interceptor

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-47108. PoCs published by bahe-msft.

AI-analyzed exploit summary The repository contains minimal code that references a vulnerable function in OpenTelemetry's gRPC instrumentation but lacks actual exploit logic or demonstration of the vulnerability. It appears to be a placeholder or incomplete PoC.

Description

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

Exploits (1)

nomisec STUB

by bahe-msft · poc

https://github.com/bahe-msft/govuln-CVE-2023-47108

View Code ZIP pw:eip

The repository contains minimal code that references a vulnerable function in OpenTelemetry's gRPC instrumentation but lacks actual exploit logic or demonstration of the vulnerability. It appears to be a placeholder or incomplete PoC.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: OpenTelemetry Go Contrib (otelgrpc)

No auth needed

Prerequisites: Presence of vulnerable OpenTelemetry gRPC instrumentation in the target environment

devstral-2 · analyzed Feb 18, 2026 Full analysis →