CVE-2026-44902: Prometheus exporter process crash via malformed HTTP request
A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process.
You are affected by this vulnerability if either of the following apply to your application:
- you directly use
@opentelemetry/exporter-prometheusin your code through its built-in server. - your
OTEL_METRICS_EXPORTERenvironment variable includesprometheusAND - you use
@opentelemetry/sdk-node - you use
@opentelemetry/auto-instrumentations-nodevia--require @opentelemetry/auto-instrumentations-node/register/--import @opentelemetry/auto-instrumentations-node/register
References
Code Behaviors & Features
Detect and mitigate CVE-2026-44902 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →