OpenTelemetry Prometheus Exporter Vulnerability Patched: CVE-2026-44902 Allows Denial-of-Service via Malformed HTTP Request

A critical security vulnerability has been identified in the OpenTelemetry JavaScript Prometheus exporter, potentially allowing remote attackers to crash affected processes by sending specially crafted HTTP requests. The flaw, tracked as CVE-2026-44902 and documented under GHSA-q7rr-3cgh-j5r3, specifically affects the @opentelemetry/exporter-prometheus package versions prior to 0.217.0.

The vulnerability stems from insufficient handling of malformed HTTP requests within the Prometheus metrics exporter component. When a malicious or improperly formatted HTTP request reaches a vulnerable instance, the exporter fails to process the input safely, triggering a process crash rather than gracefully rejecting the malformed data. This creates a denial-of-service vector for any application or infrastructure component relying on the exporter for metrics collection and observability pipelines.

The security flaw was addressed through version 0.217.0 of the @opentelemetry/exporter-prometheus package, representing a minor version increment from the affected 0.216.0 release. Organizations using OpenTelemetry's JavaScript-based observability stack with Prometheus export functionality should verify their dependency versions immediately. Given the project's role in cloud-native and Kubernetes environments where OpenTelemetry serves as a standard for distributed tracing and metrics, the attack surface extends across infrastructure monitoring, SRE tooling, and application performance platforms. Downstream consumers of affected telemetry data may experience gaps in monitoring and alerting if the exporter crashes under attack or during reconnaissance attempts.