CVE-2023-47108: OpenTelemetry-Go Contrib DoS Vulnerability

CVE-2023-47108 Overview

CVE-2023-47108 is a memory exhaustion vulnerability in OpenTelemetry-Go Contrib, a collection of third-party packages for OpenTelemetry-Go. The vulnerability exists in the gRPC Unary Server Interceptor, which automatically adds the net.peer.sock.addr and net.peer.sock.port labels with unbound cardinality. This design flaw allows attackers to flood the server with requests using varied peer addresses and ports, leading to potential memory exhaustion and denial of service conditions.

Critical Impact
This vulnerability enables remote attackers to cause memory exhaustion on servers using affected versions of the OpenTelemetry-Go Contrib gRPC instrumentation, potentially leading to complete service disruption without requiring authentication.

Affected Products

OpenTelemetry-Go Contrib versions 0.37.0 through 0.45.x
gRPC Unary Server Interceptor component (otelgrpc)
Applications using go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

Discovery Timeline

2023-11-10 - CVE-2023-47108 published to NVD
2025-10-28 - Last updated in NVD database

Technical Details for CVE-2023-47108

Vulnerability Analysis

The vulnerability stems from how the OpenTelemetry-Go Contrib gRPC instrumentation handles metric labeling. The gRPC Unary Server Interceptor automatically attaches net.peer.sock.addr and net.peer.sock.port attributes to metrics for each incoming request. Since these attributes capture the remote peer's address and port, they inherently have unbounded cardinality—meaning the number of unique combinations can grow infinitely based on the number of distinct clients connecting to the service.

In observability systems, each unique combination of metric labels creates a new time series that must be stored and tracked in memory. When an attacker sends requests from many different source addresses and ports (which is trivial to accomplish), the server must allocate memory to track each unique combination. This creates a classic resource exhaustion scenario where the attacker can deplete server memory resources with minimal effort.

Root Cause

The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The interceptor code at the telemetryAttributes function captured peer connection information without consideration for the cardinality implications. The vulnerable code path in interceptor.go collected these high-cardinality attributes and passed them to the metrics system, which created unbounded memory growth as new unique attribute combinations were encountered.

Attack Vector

This is a network-based attack requiring no authentication or user interaction. An attacker can exploit this vulnerability by:

Identifying a target service using the vulnerable OpenTelemetry-Go Contrib gRPC instrumentation
Sending gRPC requests from multiple source IP addresses and ports (easily achieved through IP spoofing, botnets, or simply using many connections)
Each unique IP:port combination creates new metric time series in memory
Continuing the attack until the target server exhausts available memory

The attack is particularly effective because gRPC services are often exposed publicly and the metric collection happens transparently before any application-level authentication occurs.

// Before fix - vulnerable telemetry attribute collection
// Source: interceptor.go - spanInfo function captured peer attributes

// After fix - high cardinality attributes removed
name, attr, _ := telemetryAttributes(method, cc.Target())

startOpts := append([]trace.SpanStartOption{
    trace.WithSpanKind(trace.SpanKindClient),

Source: GitHub Commit Fix

Detection Methods for CVE-2023-47108

Indicators of Compromise

Unusual memory growth patterns in gRPC services using OpenTelemetry instrumentation
High cardinality warnings or errors from your metrics backend (Prometheus, etc.)
Increasing number of unique time series in metric storage systems
Service degradation or out-of-memory crashes in gRPC server processes

Detection Strategies

Monitor memory utilization trends for services using otelgrpc instrumentation
Set up alerts for abnormal time series cardinality growth in metrics backends
Review gRPC access logs for patterns indicating distributed attack sources
Implement rate limiting detection on gRPC endpoints to identify flooding attempts

Monitoring Recommendations

Configure metrics backend cardinality limits and alerting thresholds
Monitor Go runtime memory statistics (runtime.MemStats) for affected services
Track the count of unique net.peer.sock.addr and net.peer.sock.port combinations
Implement network-level monitoring for unusual gRPC traffic patterns from diverse sources

How to Mitigate CVE-2023-47108

Immediate Actions Required

Upgrade OpenTelemetry-Go Contrib to version 0.46.0 or later immediately
Audit all Go services using otelgrpc instrumentation for affected versions
If immediate upgrade is not possible, implement the documented workarounds below
Monitor affected services closely for signs of memory exhaustion attacks

Patch Information

The vulnerability is fixed in OpenTelemetry-Go Contrib version 0.46.0. The fix removes the high-cardinality net.peer.sock.addr and net.peer.sock.port attributes from the default metric instrumentation. Organizations should update their go.mod dependency to:

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.0

The security fix is documented in GitHub Security Advisory GHSA-8pgv-569h-w5rw and implemented via Pull Request #4322.

Workarounds

Configure a view that explicitly removes the net.peer.sock.addr and net.peer.sock.port attributes from metrics
Disable gRPC metrics instrumentation entirely by passing the otelgrpc.WithMeterProvider option with noop.NewMeterProvider
Implement network-level rate limiting to reduce the effectiveness of flooding attacks
Configure metrics backend cardinality limits as an additional defense layer

// Workaround: Disable gRPC metrics instrumentation
import (
    "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
    "go.opentelemetry.io/otel/metric/noop"
)

// Use noop meter provider to disable metrics collection
opts := []otelgrpc.Option{
    otelgrpc.WithMeterProvider(noop.NewMeterProvider()),
}

Reference: Go.dev New Meter Provider Documentation

CVE-2023-47108 Overview

Critical Impact
This vulnerability enables remote attackers to cause memory exhaustion on servers using affected versions of the OpenTelemetry-Go Contrib gRPC instrumentation, potentially leading to complete service disruption without requiring authentication.

Affected Products

OpenTelemetry-Go Contrib versions 0.37.0 through 0.45.x
gRPC Unary Server Interceptor component (otelgrpc)
Applications using go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

Discovery Timeline

2023-11-10 - CVE-2023-47108 published to NVD
2025-10-28 - Last updated in NVD database

Technical Details for CVE-2023-47108

Vulnerability Analysis

Root Cause

Attack Vector

This is a network-based attack requiring no authentication or user interaction. An attacker can exploit this vulnerability by:

Identifying a target service using the vulnerable OpenTelemetry-Go Contrib gRPC instrumentation
Sending gRPC requests from multiple source IP addresses and ports (easily achieved through IP spoofing, botnets, or simply using many connections)
Each unique IP:port combination creates new metric time series in memory
Continuing the attack until the target server exhausts available memory

The attack is particularly effective because gRPC services are often exposed publicly and the metric collection happens transparently before any application-level authentication occurs.

// Before fix - vulnerable telemetry attribute collection
// Source: interceptor.go - spanInfo function captured peer attributes

// After fix - high cardinality attributes removed
name, attr, _ := telemetryAttributes(method, cc.Target())

startOpts := append([]trace.SpanStartOption{
    trace.WithSpanKind(trace.SpanKindClient),

Source: GitHub Commit Fix

Detection Methods for CVE-2023-47108

Indicators of Compromise

Unusual memory growth patterns in gRPC services using OpenTelemetry instrumentation
High cardinality warnings or errors from your metrics backend (Prometheus, etc.)
Increasing number of unique time series in metric storage systems
Service degradation or out-of-memory crashes in gRPC server processes

Detection Strategies

Monitor memory utilization trends for services using otelgrpc instrumentation
Set up alerts for abnormal time series cardinality growth in metrics backends
Review gRPC access logs for patterns indicating distributed attack sources
Implement rate limiting detection on gRPC endpoints to identify flooding attempts

Monitoring Recommendations

Configure metrics backend cardinality limits and alerting thresholds
Monitor Go runtime memory statistics (runtime.MemStats) for affected services
Track the count of unique net.peer.sock.addr and net.peer.sock.port combinations
Implement network-level monitoring for unusual gRPC traffic patterns from diverse sources

How to Mitigate CVE-2023-47108

Immediate Actions Required

Upgrade OpenTelemetry-Go Contrib to version 0.46.0 or later immediately
Audit all Go services using otelgrpc instrumentation for affected versions
If immediate upgrade is not possible, implement the documented workarounds below
Monitor affected services closely for signs of memory exhaustion attacks

Patch Information

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.0

The security fix is documented in GitHub Security Advisory GHSA-8pgv-569h-w5rw and implemented via Pull Request #4322.

Workarounds

Configure a view that explicitly removes the net.peer.sock.addr and net.peer.sock.port attributes from metrics
Disable gRPC metrics instrumentation entirely by passing the otelgrpc.WithMeterProvider option with noop.NewMeterProvider
Implement network-level rate limiting to reduce the effectiveness of flooding attacks
Configure metrics backend cardinality limits as an additional defense layer

// Workaround: Disable gRPC metrics instrumentation
import (
    "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
    "go.opentelemetry.io/otel/metric/noop"
)

// Use noop meter provider to disable metrics collection
opts := []otelgrpc.Option{
    otelgrpc.WithMeterProvider(noop.NewMeterProvider()),
}

Reference: Go.dev New Meter Provider Documentation

CVE-2023-47108: OpenTelemetry-Go Contrib DoS Vulnerability

CVE-2023-47108 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-47108

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-47108

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-47108

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2023-47108: OpenTelemetry-Go Contrib DoS Vulnerability

CVE-2023-47108 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-47108

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-47108

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-47108

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform