fix(security): update dependency opentelemetry.exporter.opentelemetryprotocol to 1.15.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
OpenTelemetry.Exporter.OpenTelemetryProtocol (source)	1.15.2 → 1.15.3

---

OpenTelemetry dotnet: Unbounded grpc-status-details-bin parsing in OTLP/gRPC retry handling

CVE-2026-40891 / GHSA-mr8r-92fq-pj8p

More information

Details

Summary

When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS).

Details

#​5980 introduced a retry path that parses grpc-status-details-bin to extract gRPC retry delay information for retryable responses.

On that path:

• OtlpGrpcExportClient captures grpc-status-details-bin from retryable status responses (ResourceExhausted / Unavailable).
• OtlpRetry invokes GrpcStatusDeserializer.TryGetGrpcRetryDelay using this untrusted trailer value.
• GrpcStatusDeserializer.DecodeBytes decoded a protobuf varint length and allocated new byte[length] without validating the bounds against the remaining payload size.

A malicious or compromised collector (or a MitM in weakly-protected deployments) could return a crafted grpc-status-details-bin payload that forces oversized allocation and memory exhaustion in the instrumented process.

Impact

If an OTLP/gRPC endpoint is attacker-controlled (or traffic is intercepted), a crafted retryable response can trigger large allocations during trailer parsing, which may exhaust memory and cause process instability/crash (availability impact / DoS).

Mitigation

The application's configured back-end/collector endpoint needs to behave maliciously. If the collector/back-end is a well-behaved implementation response bodies should not be excessively large if a request error occurs.

Workarounds

None known.

Remediation

#​7064 updates GrpcStatusDeserializer to validate decoded length-delimited field sizes before allocation by ensuring the requested length is sane and does not exceed the remaining payload.

This causes malformed or truncated grpc-status-details-bin payloads to fail safely instead of attempting unbounded allocation.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p
• https://nvd.nist.gov/vuln/detail/CVE-2026-40891
• https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980
• https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064
• https://github.com/advisories/GHSA-mr8r-92fq-pj8p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-dotnet (OpenTelemetry.Exporter.OpenTelemetryProtocol)

v1.15.3

Release details: 1.15.3

• Breaking change: Fixed tracestate parsing to reject keys that do not
  begin with a lowercase letter, including keys beginning with digits, to
  align with the W3C Trace Context specification.
• Breaking change: Fixed an insecure disk retry default for OTLP export.
  Disk retry now requires OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH
  when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk is configured.
• Improve efficiency of parsing of baggage and B3 propagation headers.
• OtlpLogExporter now uses IHttpClientFactory on .NET 8+.
• Fixed an issue in OTLP/gRPC retry handling where parsing gRPC status.
• Fixed OTEL_SPAN_ATTRIBUTE_VALUE_LENGTH_LIMIT not being applied.
• Fixed baggage and trace headers not respecting the maximum length in some cases.
• Fixed BaggagePropagator to trim optional whitespace (OWS) around =
  separators when parsing the baggage header.
• Fixed BaggagePropagator to strip baggage properties from values when
  parsing the baggage header.
• Fixed OTLP persistent storage clean-up handling for malformed filenames.
• Fixed resource leak in batch and periodic exporting task workers for Blazor/WASM.
• Fixed LogRecord.LogLevel to preserve LogLevel.None.
• Fixed OTEL_TRACES_SAMPLER_ARG handling for out-of-range values.
• Fixed an issue with OTLP disk retry storage where metrics and logs used the
  traces storage directory.
• Fixed full OTLP endpoint being logged by internal diagnostics.
• Improve efficiency of parsing of baggage, B3 and Jaeger propagation headers.
• Hardened Zipkin exporter memory usage for endpoint caching and array tag
  serialization.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.47%. Comparing base (7d89d55) to head (57a4bef).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #746   +/-   ##
=======================================
  Coverage   93.47%   93.47%           
=======================================
  Files          68       68           
  Lines        2956     2956           
  Branches      351      351           
=======================================
  Hits         2763     2763           
  Misses        135      135           
  Partials       58       58           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.