chore(deps): update dependency opentelemetry.exporter.opentelemetryprotocol to 1.15.3 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
OpenTelemetry.Exporter.OpenTelemetryProtocol (source)	1.12.0 → 1.15.3

---

OpenTelemetry's disk retry default temp path enables local blob injection via OTLP Exporter

CVE-2026-42191 / GHSA-4625-4j76-fww9

More information

Details

Summary

The OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured.

The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path.

On multi-user systems where the temporary directory is accessible to other local accounts, this exposed three attack surfaces:

• Blob injection (integrity): an attacker could write crafted *.blob files into the predictable path; the exporter picks them up on the next retry cycle and forwards them to the configured OTLP endpoint under the application's identity.
• Telemetry disclosure (confidentiality): an attacker reads *.blob files written by the application between export failures, recovering encoded telemetry payloads (spans, metric data points, log records).
• Resource exhaustion (availability): an attacker deposits numerous or oversized blob files, degrading retry-loop performance or consuming disk space.

Details

Preconditions

1. OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY is set to disk.
2. OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH is not set, causing the exporter to resolve the blob storage root using the System.IO.Path.GetTempPath() API.
3. A local attacker has read or write access to the process' temporary directory (e.g., /tmp on Linux, or %TEMP% on a multi-user Windows installation).

Exploit path

1. A target application starts with OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk and no explicit blob directory. The exporter resolves the storage root to Path.GetTempPath(), producing paths such as %TEMP%\traces, %TEMP%\metrics, and %TEMP%\logs (or /tmp/traces etc. on Linux).
2. Injection scenario: before or during the application's retry window, an attacker writes crafted *.blob files into one of those signal subdirectories. On the next retry interval (by default every 60 seconds), OtlpExporterPersistentStorageTransmissionHandler scans the directory, loads the attacker-supplied blobs, and forwards them to the configured OTLP endpoint using the application's identity and transport credentials.
3. Disclosure scenario: the attacker reads *.blob files that the application wrote after a transient export failure, recovering the full serialized telemetry payloads (spans, metric data points, or log records in Protobuf encoding).
4. DoS scenario: the attacker deposits a large number of oversized blob files in the temporary subdirectories, causing the retry loop to consume excess CPU/IO processing them, potentially exhausting available disk space.

Mitigations

If an immediate upgrade to a patched version is not possible:

1. Avoid enabling disk retry in shared environments.
2. Configure a dedicated directory with strict ACL/ownership and least privilege.
3. Ensure the directory is not shared across tenants/users.
4. Monitor for unexpected *.blob files or abnormal retry backlog growth.

Resources

• #​7106

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

References

• https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-4625-4j76-fww9
• https://github.com/open-telemetry/opentelemetry-dotnet/pull/7106
• https://github.com/open-telemetry/opentelemetry-dotnet/commit/78dffdc5ebdf3dc090fdb94e3f1a32d3d1e26dfd
• https://github.com/advisories/GHSA-4625-4j76-fww9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-dotnet (OpenTelemetry.Exporter.OpenTelemetryProtocol)

v1.15.3

Release details: 1.15.3

• Breaking change: Fixed tracestate parsing to reject keys that do not
  begin with a lowercase letter, including keys beginning with digits, to
  align with the W3C Trace Context specification.
• Breaking change: Fixed an insecure disk retry default for OTLP export.
  Disk retry now requires OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH
  when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk is configured.
• Improve efficiency of parsing of baggage and B3 propagation headers.
• OtlpLogExporter now uses IHttpClientFactory on .NET 8+.
• Fixed an issue in OTLP/gRPC retry handling when parsing gRPC statuses.
• Fixed OTEL_SPAN_ATTRIBUTE_VALUE_LENGTH_LIMIT not being applied.
• Fixed baggage and trace headers not respecting the maximum length in some cases.
• Fixed BaggagePropagator to trim optional whitespace (OWS) around =
  separators when parsing the baggage header.
• Fixed BaggagePropagator to strip baggage properties from values when
  parsing the baggage header.
• Fixed OTLP persistent storage clean-up handling for malformed filenames.
• Fixed resource leak in batch and periodic exporting task workers for Blazor/WASM.
• Fixed LogRecord.LogLevel to preserve LogLevel.None.
• Fixed OTEL_TRACES_SAMPLER_ARG handling for out-of-range values.
• Fixed an issue with OTLP disk retry storage where metrics and logs used the
  traces storage directory.
• Fixed full OTLP endpoint being logged by internal diagnostics.
• Improve efficiency of parsing of baggage, B3 and Jaeger propagation headers.
• Hardened Zipkin exporter memory usage for endpoint caching and array tag
  serialization.

v1.15.2

Release details: 1.15.2

• Limit how much of the response body is read by the OTLP exporter when
  export fails and error logging is enabled.
• Added Task-based worker support for BatchExportProcessor and
  PeriodicExportingMetricReader to enable the OpenTelemetry SDK to work
  in single-threaded WebAssembly environments such as Blazor and
  Uno Platform.

v1.15.1

Release details: 1.15.1

• Breaking change: The Baggage API now disallows empty baggage names and
  treats baggage names and values as case sensitive, aligning with the latest
  Baggage API specification.
• Various bug fixes across OpenTelemetry.Api and OpenTelemetry SDK,
  including fixes for thread-safety, sampler edge cases, metrics precision,
  and observable instrument lifecycle handling.

v1.15.0

Release details: 1.15.0

• Added support for ActivitySource.TelemetrySchemaUrl
  and Meter.TelemetrySchemaUrl properties across exporters.
• Improved performance and reduced memory consumption for metrics histograms.
• Added mTLS configuration support for the OTLP exporter (client cert/key and
  CA certificate options).
• OpenTelemetry.Exporter.Zipkin is deprecated and will stop receiving updates
  in December 2026. Zipkin already supports OTLP ingestion.
  Migrate to OpenTelemetry.Exporter.OpenTelemetryProtocol as stated
  in the Deprecating Zipkin Exporter blog post.

v1.14.0

Release details: 1.14.0

• Add support for .NET 10.0.
• Breaking Change When targeting net8.0, the package now depends on version
  8.0.0 of the Microsoft.Extensions.DependencyInjection.Abstractions,
  Microsoft.Extensions.Diagnostics.Abstractions,
  Microsoft.Extensions.Hosting.Abstractions and
  Microsoft.Extensions.Logging.Configuration NuGet packages.
• Update System.Diagnostics.DiagnosticSource dependency to 10.0.0
  for all target frameworks.
• Update Microsoft.Extensions.* dependencies to 10.0.0
  for .NET Framework and .NET Standard.
• Breaking Change NuGet packages now use the Sigstore bundle format
  (.sigstore.json) for digital signatures instead of separate signature
  (.sig) and certificate (.pem) files. This requires cosign 3.0 or later
  for verification. See the Digital signing
  section for updated verification instructions.

v1.13.1

Release details: 1.13.1

• In version 1.13.0, the digital signature (.dll-keyless.sig) and
  certificate (.dll-keyless.pem) files were unintentionally omitted from the
  published NuGet packages.
• This hotfix restores the Sigstore signing artifacts for all target frameworks
  (net462, netstandard2.0, netstandard2.1, net8.0, net9.0), ensuring
  the integrity of DLL verification using Sigstore cosign.

v1.13.0

Release details: 1.13.0

• gRPC calls to export traces, logs, and metrics using OtlpExportProtocol.Grpc
  now set the TE=trailers HTTP request header to improve interoperability.
• EventName is now exported by default as EventName instead of
  logrecord.event.name when specified through ILogger or the experimental
  log bridge API.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Thank you for your contribution! 🙏 We will review it as soon as possible.