Skip to content

fix: upgrade extras/dagger OpenTelemetry dependencies to v1.41.0#3273

Open
chainloop-development[bot] wants to merge 1 commit into
mainfrom
chainloop/fix-ghsa-mh2q-q3fh-2475-20260708-141815
Open

fix: upgrade extras/dagger OpenTelemetry dependencies to v1.41.0#3273
chainloop-development[bot] wants to merge 1 commit into
mainfrom
chainloop/fix-ghsa-mh2q-q3fh-2475-20260708-141815

Conversation

@chainloop-development

@chainloop-development chainloop-development Bot commented Jul 8, 2026

Copy link
Copy Markdown

Summary

Upgraded the extras/dagger module from OpenTelemetry v1.38.0 to the first fixed release line, v1.41.0, to remove the vulnerable baggage header parsing implementation. The change is limited to that helper module and its required transitive dependency updates.

Vulnerability Fixed

GHSA-mh2q-q3fh-2475 (HIGH): OpenTelemetry-Go multi-value baggage header extraction can trigger excessive allocations and enable remote denial-of-service amplification before v1.41.0.

Changes Made

  • Bumped go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk, go.opentelemetry.io/otel/trace, and related OTLP exporter/metric modules in extras/dagger/go.mod from v1.38.0 to v1.41.0.
  • Accepted the minimal transitive dependency updates that the v1.41.0 OpenTelemetry release line requires in the same module.
  • Refreshed extras/dagger/go.sum to match the patched dependency graph.

Verification

Classification: resolved.

Attempted SBOM-first verification with syft dir:. -o cyclonedx-json | grype sbom:/dev/stdin --only-fixed -o json, but this grype build requires a seekable SBOM input and could not read stdin. As a best-effort fallback, I ran grype dir:. --only-fixed -o json against repo/, and it reported 0 matches for GHSA-mh2q-q3fh-2475.

Risk Assessment

View the risk assessment in Chainloop

Review in cubic

@kusari-inspector

Copy link
Copy Markdown

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

The code security analysis found zero issues across the modified files (go.sum and go.mod), confirming no secrets, workflow, or code-level vulnerabilities were introduced. However, the dependency analysis identified multiple critical and high-severity unresolved vulnerabilities in the newly introduced dependency versions that we strongly recommend addressing before merging. Key concerns are: (1) google.golang.org/grpc v1.79.1 contains an authorization bypass (CVE-2026-33186, CVSS HIGH: C:H/I:H) where attackers can circumvent path-based deny rules via missing leading slashes in HTTP/2 :path pseudo-headers — update to v1.82.0; (2) golang.org/x/net v0.50.0 carries two unresolved HIGH advisories: an HTTP/2 infinite loop DoS (CVE-2026-33814) and an IDNA privilege escalation enabling access control bypass (CVE-2026-39821) — update to v0.56.0; (3) go.opentelemetry.io/otel/sdk v1.41.0 has a PATH hijacking vulnerability enabling arbitrary code execution on BSD/Solaris platforms (CVE-2026-39883) — update to v1.44.0; (4) OTLP HTTP exporters at v1.41.0 allow memory exhaustion via unbounded HTTP response body reads if the collector endpoint is compromised or subject to MITM (CVE-2026-39882) — update both otlpmetrichttp and otlptracehttp to v1.44.0. While this PR successfully remediates GHSA-mh2q-q3fh-2475, the net security posture introduces more high-severity risk than it resolves. We strongly recommend updating all affected dependencies to their fixed versions before merging.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

  • CRITICAL - google.golang.org/grpc v1.79.1 (CVE-2026-33186): Authorization bypass via missing leading slash in HTTP/2 :path pseudo-header. Attackers can bypass path-based deny rules if a fallback allow rule exists. CVSS HIGH (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:N). The fix requires v1.79.3 or newer. Per the vulnerabilityFixReport, update to v1.82.0: go get google.golang.org/grpc@v1.82.0
  • HIGH - golang.org/x/net v0.50.0 still carries multiple unresolved advisories: (1) CVE-2026-33814 - HTTP/2 infinite loop DoS when SETTINGS_MAX_FRAME_SIZE=0 (CVSS HIGH AV:N/AC:L); (2) CVE-2026-39821 - IDNA privilege escalation allowing access controls to be bypassed via Punycode-encoded labels (CVSS HIGH C:H/I:H). The new version v0.50.0 does NOT fix these. Per the vulnerabilityFixReport, update to v0.56.0: go get golang.org/x/net@v0.56.0
  • HIGH - go.opentelemetry.io/otel/sdk v1.41.0 (CVE-2026-39883): BSD kenv command PATH hijacking enabling arbitrary code execution on BSD/Solaris platforms (CVSS:4.0 VC:H/VI:H/VA:H). The new version v1.41.0 does NOT fully resolve this (it persists as an advisory). Per the vulnerabilityFixReport, update to v1.44.0: go get go.opentelemetry.io/otel/sdk@v1.44.0
  • HIGH - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp and go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0 (GHSA-w8rr-5gcm-pp58 / CVE-2026-39882): OTLP HTTP exporters read unbounded HTTP response bodies enabling memory exhaustion/OOM if the collector endpoint is attacker-controlled or subject to MITM. Both old and new versions are affected. Per the vulnerabilityFixReport, update both to v1.44.0: go get go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v1.44.0 and go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v1.44.0

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 3e23e36, performed at: 2026-07-08T12:18:57Z

Found this helpful? Give it a 👍 or 👎 reaction!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants