fix(security): update dependency io.opentelemetry:opentelemetry-api to v1.62.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
io.opentelemetry:opentelemetry-api	1.60.1 → 1.62.0

---

OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation

CVE-2026-45292 / GHSA-rcgg-9c38-7xpx

More information

Details

Overview

A vulnerability affects the baggage propagation implementation in
opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage
causes unbounded memory allocation and CPU consumption. Because baggage is automatically
re-injected into every outgoing request, the effect can fan out to downstream services that
never received the original malicious request.

Technical Details

• W3CBaggagePropagator did not enforce any limit on the total size or entry count of the
  baggage header. The parser iterated character-by-character through the entire value
  regardless of length.
• JaegerPropagator and OtTracePropagator had the same gap in their respective baggage
  extraction paths.
• The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; none of
  these limits were enforced.

Impact

The practical availability impact for most deployments is limited. Every major Java HTTP server
enforces its own header size limit (Tomcat, Jetty, Netty, Vert.x, and gRPC-Java all default to
8 KiB), constraining what an external attacker can deliver before the application is reached.
The risk is higher when transport-layer limits are absent — e.g., a compromised internal service
communicating over a non-HTTP or custom transport.

Remediation

Update to version 1.62.0 or later (#​8380).
The fix enforces limits consistent with the W3C Baggage specification at the propagator level:

• Maximum total baggage size: 8,192 bytes across all baggage header values
• Maximum number of entries: 64

Headers that would exceed either limit are dropped at the point the limit is reached;
already-extracted valid entries are retained.

Workarounds

Ensure HTTP header size limits are configured at the server or gateway level. Most Java HTTP
servers enforce an 8 KiB header limit by default, which mitigates external attack vectors
independently of this fix.

References

• W3C Baggage Specification §Limits

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/open-telemetry/opentelemetry-java/security/advisories/GHSA-rcgg-9c38-7xpx
• https://github.com/open-telemetry/opentelemetry-java/pull/8380
• https://github.com/open-telemetry/opentelemetry-java/commit/03837d3c1763bc35464aea1078671e2ef2336a5f
• https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.62.0
• https://github.com/advisories/GHSA-rcgg-9c38-7xpx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-java (io.opentelemetry:opentelemetry-api)

v1.62.0

API

Context

• Fix GHSA-rcgg-9c38-7xpx: Apply limits to baggage entries for W3CBaggagePropagator, OtTracePropagator, JaegerPropagator
  (#​8378)

SDK

Traces

• Avoid parentContext allocation on span start for the common case
  (#​8332)

Metrics

• Add setMaxExportBatchSize to PeriodicMetricReaderBuilder
  (#​8296)
• Fix PeriodicMetricReader shutdown race that could drop the final flush
  (#​8299)

Exporters

• BREAKING Prometheus: Change default server host from 0.0.0.0 to localhost
  (#​8298)
• BREAKING Prometheus: Stop converting unit "1" to "ratio"
  (#​8252)
• OTLP: Fix null input handling in StringEncoder
  (#​8312)
• OTLP: Align proto field types and wire tag names in marshalers
  (#​8293)
• OTLP: Fix MarshalerUtil sizeRepeatedString calculation
  (#​8284)
• OTLP: Bound JdkHttpSender thread pool size to prevent unbounded thread creation
  (#​8276)
• OTLP Profiles: Split profiles data model into separate sdk-profiles and JFR shim modules
  (#​8207)
• OTLP Profiles: Publish alpha release of opentelemetry-sdk-profiles and
  opentelemetry-exporter-otlp-profiles
  (#​8351)

Extensions

• BREAKING Declarative config: Extract to new opentelemetry-sdk-extension-declarative-config
  artifact with new package io.opentelemetry.sdk.autoconfigure.declarativeconfig
  (#​8265)
• Autoconfigure: Add file size validation in OtlpConfigUtil to avoid unsafe cast to int
  (#​8287)
• Declarative config: Fix collection fields to not be initialized to empty by default
  (#​8356)
• Incubator: Add EventToSpanEventBridge to bridge log-based events to span events
  (#​8372)

Testing

• Add @Nullable to equalTo value argument in OpenTelemetryAssertions
  (#​8301)
• Add hasValueSatisfying to LongPointAssert and DoublePointAssert for fuzzy value matching
  (#​8328)
• Add containsPointsSatisfying to metric data asserts for "each given assertion must be
  satisfied by at least one point, extras allowed" checks on sum, gauge, histogram, exponential
  histogram, and summary data
  (#​8329)

Project tooling

• Add initial OSGi support
  (#​7964)
• Promote ApiUsageLogger to opentelemetry-common public API
  (#​8318)
• Establish exception logging guidelines and fix inconsistent patterns across exporters and SDK
  (#​8231)
• Add *.impl.* package naming convention for internal code with japicmp compatibility
  (#​8325)
• Add Sonatype dependency audit to build
  (#​8365)

v1.61.0

API

• Stabilize isEnabled() on Tracer, Logger, and metric instruments
  (#​8200)

Incubating

• BREAKING Update EnvironmentGetter and EnvironmentSetter key normalization to reflect spec
  changes
  (#​8233)

SDK

Traces

• Retain propagated context when generating random trace IDs
  (#​8263)
• Add rate-limited warning log when BatchSpanProcessor drops spans
  (#​8167)

Metrics

• Track series start time per aggregator rather than at SdkMeterProvider creation time
  (#​8180)
• Capture context class loader during async callback registration
  (#​8091)
• Make include/exclude work correctly with empty (but non-null) lists
  (#​8185)

Logs

• Fix condition for recording successful log processing metrics
  (#​8226)

Exporters

• OTLP: add configurable bounds to response body reading
  (#​8224, #​8277)
• OTLP: only throw invalid response exception when gRPC response size < 5 bytes
  (#​8194)
• OTLP: remove duplicate FINEST-level error logging in gRPC exporter
  (#​8216)
• OTLP Profiles: clean up profile signal exporters for consistency
  (#​8172)

Extensions

• BREAKING Autoconfigure: remove deprecated ComponentLoader class (use
  io.opentelemetry.common.ComponentLoader instead)
  (#​8243)
• Declarative config: fix DeclarativeConfigProperties javadoc to not throw exceptions
  (#​8079)
• Declarative config: resource attribute filtering should include attributes by default
  (#​8177)
• Declarative config: enforce IncludedExcludeModel .included and .excluded are not empty
  (#​8266)
• Autoconfigure: restructure SDK incubator to not depend on autoconfigure internals
  (#​8242)

Project tooling

• Disable Gradle build cache on releases to mitigate supply chain risk
  (#​8254)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.