Summary
A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process.
You are affected by this vulnerability if either of the following apply to your application:
- you directly use
@opentelemetry/exporter-prometheusin your code through its built-in server. - your
OTEL_METRICS_EXPORTERenvironment variable includesprometheusAND- you use
@opentelemetry/sdk-node - you use
@opentelemetry/auto-instrumentations-nodevia--require @opentelemetry/auto-instrumentations-node/register/--import @opentelemetry/auto-instrumentations-node/register
- you use
Update to the fixed version
Update @opentelemetry/exporter-prometheus and @opentelemetry/sdk-node to version 0.217.0 or later.
Update @opentelemetry/auto-instrumentations-node to version 0.75.0 or later.
This release adds proper error handling around the URL constructor, returning an HTTP 400 response on parse failure rather than allowing the exception to propagate and crash the process.
npm install @opentelemetry/exporter-prometheus@latest
Do Not Expose the Endpoint to Untrusted Users
[!IMPORTANT]
The following mitigations reduce exposure but do not fully remediate the vulnerability. Any client that can reach the metrics endpoint - including your own Prometheus scraper host if compromised - could still trigger the crash. Updating to 0.217.0 is the recommended resolution.
If updating is not immediately feasible, restrict access to the metrics endpoint so that it is not reachable by untrusted or unauthenticated network clients. For example:
Bind to localhost only by setting the
hostoption to127.0.0.1when configuring thePrometheusExporter, so the port is not exposed on public or shared network interfacesUse a firewall or network policy to restrict access to port
9464(or whichever port you have configured) to only trusted Prometheus scrape hostsPlace the endpoint behind a reverse proxy that filters or validates incoming requests before they reach the exporter
Details
In PrometheusExporter.ts, the _requestHandler calls new URL(request.url, this._baseUrl) without any error handling. Node's HTTP parser accepts absolute-form URIs (e.g. http://) for proxy compatibility, including malformed ones. When request.url is "http://", the URL constructor throws TypeError: Invalid URL. Since there is no try-catch in the handler, the exception propagates as an uncaught exception and crashes the process.
The Prometheus metrics endpoint is unauthenticated by design (Prometheus scrapes it) and binds to 0.0.0.0 by default, meaning it is reachable by any network client that can connect to the metrics port.
Proof of Concept
Start any Node.js application with the Prometheus exporter running on the default port 9464, then send a single raw TCP packet:
echo -ne 'GET http:// HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 9464
The process crashes immediately with:
TypeError: Invalid URL
at new URL (...)
at PrometheusExporter._requestHandler (...)
Impact
Denial of service. Any application using the OpenTelemetry Prometheus exporter’s built-in server can be crashed by a single unauthenticated network packet sent to the metrics port. No authentication, special privileges, or prior access is required.
CVE-2026-44902 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.217.0, 0.75.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
@opentelemetry/exporter-prometheus to 0.217.0 or later; @opentelemetry/sdk-node to 0.217.0 or later; @opentelemetry/auto-instrumentations-node to 0.75.0 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-44902? CVE-2026-44902 is a high-severity security vulnerability in @opentelemetry/exporter-prometheus (npm), affecting versions < 0.217.0. It is fixed in 0.217.0, 0.75.0.
- How severe is CVE-2026-44902? CVE-2026-44902 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2026-44902?
@opentelemetry/exporter-prometheus(npm) (versions < 0.217.0)@opentelemetry/sdk-node(npm) (versions < 0.217.0)@opentelemetry/auto-instrumentations-node(npm) (versions < 0.75.0)
- Is there a fix for CVE-2026-44902? Yes. CVE-2026-44902 is fixed in 0.217.0, 0.75.0. Upgrade to this version or later.
- Is CVE-2026-44902 exploitable, and should I be worried? Whether CVE-2026-44902 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44902 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44902?
- Upgrade
@opentelemetry/exporter-prometheusto 0.217.0 or later - Upgrade
@opentelemetry/sdk-nodeto 0.217.0 or later - Upgrade
@opentelemetry/auto-instrumentations-nodeto 0.75.0 or later
- Upgrade