Memory Allocation with Excessive Size Value Affecting opentelemetry.opamp.client package, versions [,0.2.0-alpha.1)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.31% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DOTNET-OPENTELEMETRYOPAMPCLIENT-16638649
  • published11 May 2026
  • disclosed5 May 2026
  • creditUnknown

Introduced: 5 May 2026

CVE-2026-42348  (opens in a new tab)
CWE-789  (opens in a new tab)

How to fix?

Upgrade OpenTelemetry.OpAmp.Client to version 0.2.0-alpha.1 or higher.

Overview

OpenTelemetry.OpAmp.Client is an OpAMP Client for OpenTelemetry .NET

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value through the PlainHttpTransport response handling in the OpAMP HTTP transport. An attacker can force the client to allocate and buffer an oversized server response by returning a large or chunked response body to an OpAMP request. The vulnerable PlainHttpTransport path reads the entire HttpResponseMessage body into memory without enforcing a size cap, so a malicious or compromised OpAMP server can exhaust memory and destabilize the process. In deployments that use the OpAMP client, this can crash the host application or make it unresponsive while processing the oversized response.

CVSS Base Scores

version 4.0
version 3.1