# OneCollector Exporter Unbounded HTTP Response Body Read Vulnerability ## Vulnerability Overview When using the `OpenTelemetry.Exporter.OneCollector` exporter to send telemetry data to a backend/collector via HTTP, if the request fails (e.g., returns an HTTP 4xx or 5xx status code), the response body is read into memory without any upper limit on the number of bytes read. ## Affected Scope - **Affected Package**: `OpenTelemetry.Exporter.OneCollector` - **Affected Versions**: `<= 1.15.0` - **Fixed Version**: `1.15.1` - **Severity**: Medium (5.3 / 10) - **CVSS Score**: - Attack Vector: Adjacent - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Confidentiality: None - Integrity: None - Availability: High ## Impact If the `OneCollector` exporter configured in an application points to an endpoint controlled by an attacker (or is subject to a man-in-the-middle attack), the attacker can return an arbitrarily large response body. This leads to unbounded memory allocation during consumption, resulting in high transient memory pressure, garbage collection stalls, or an `OutOfMemoryException` that causes the process to terminate. ## Remediation - **Version Upgrade**: Upgrade to version `1.15.1` or later. - **Code Fix**: Update the `OneCollector` exporter to limit the number of bytes read from the response body under error conditions (capped at 4MB). - **Mitigation**: Use network-level controls (such as firewall rules, mTLS, or service mesh) to prevent the configured backend/collector endpoints from being subject to man-in-the-middle (MitM) attacks.