Skip to content

fix: upgrade extras/dagger OpenTelemetry dependencies to v1.41.0#3273

Closed
chainloop-development[bot] wants to merge 1 commit into
mainfrom
chainloop/fix-ghsa-mh2q-q3fh-2475-20260708-141815
Closed

fix: upgrade extras/dagger OpenTelemetry dependencies to v1.41.0#3273
chainloop-development[bot] wants to merge 1 commit into
mainfrom
chainloop/fix-ghsa-mh2q-q3fh-2475-20260708-141815

Conversation

@chainloop-development

@chainloop-development chainloop-development Bot commented Jul 8, 2026

Copy link
Copy Markdown

Summary

Upgraded the extras/dagger module from OpenTelemetry v1.38.0 to the first fixed release line, v1.41.0, to remove the vulnerable baggage header parsing implementation. The change is limited to that helper module and its required transitive dependency updates.

Vulnerability Fixed

GHSA-mh2q-q3fh-2475 (HIGH): OpenTelemetry-Go multi-value baggage header extraction can trigger excessive allocations and enable remote denial-of-service amplification before v1.41.0.

Changes Made

  • Bumped go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk, go.opentelemetry.io/otel/trace, and related OTLP exporter/metric modules in extras/dagger/go.mod from v1.38.0 to v1.41.0.
  • Accepted the minimal transitive dependency updates that the v1.41.0 OpenTelemetry release line requires in the same module.
  • Refreshed extras/dagger/go.sum to match the patched dependency graph.

Verification

Classification: resolved.

Attempted SBOM-first verification with syft dir:. -o cyclonedx-json | grype sbom:/dev/stdin --only-fixed -o json, but this grype build requires a seekable SBOM input and could not read stdin. As a best-effort fallback, I ran grype dir:. --only-fixed -o json against repo/, and it reported 0 matches for GHSA-mh2q-q3fh-2475.

Risk Assessment

View the risk assessment in Chainloop

Review in cubic

@kusari-inspector

Copy link
Copy Markdown

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

The code security analysis found zero issues across the modified files (go.sum and go.mod), confirming no secrets, workflow, or code-level vulnerabilities were introduced. However, the dependency analysis identified multiple critical and high-severity unresolved vulnerabilities in the newly introduced dependency versions that we strongly recommend addressing before merging. Key concerns are: (1) google.golang.org/grpc v1.79.1 contains an authorization bypass (CVE-2026-33186, CVSS HIGH: C:H/I:H) where attackers can circumvent path-based deny rules via missing leading slashes in HTTP/2 :path pseudo-headers — update to v1.82.0; (2) golang.org/x/net v0.50.0 carries two unresolved HIGH advisories: an HTTP/2 infinite loop DoS (CVE-2026-33814) and an IDNA privilege escalation enabling access control bypass (CVE-2026-39821) — update to v0.56.0; (3) go.opentelemetry.io/otel/sdk v1.41.0 has a PATH hijacking vulnerability enabling arbitrary code execution on BSD/Solaris platforms (CVE-2026-39883) — update to v1.44.0; (4) OTLP HTTP exporters at v1.41.0 allow memory exhaustion via unbounded HTTP response body reads if the collector endpoint is compromised or subject to MITM (CVE-2026-39882) — update both otlpmetrichttp and otlptracehttp to v1.44.0. While this PR successfully remediates GHSA-mh2q-q3fh-2475, the net security posture introduces more high-severity risk than it resolves. We strongly recommend updating all affected dependencies to their fixed versions before merging.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

  • CRITICAL - google.golang.org/grpc v1.79.1 (CVE-2026-33186): Authorization bypass via missing leading slash in HTTP/2 :path pseudo-header. Attackers can bypass path-based deny rules if a fallback allow rule exists. CVSS HIGH (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:N). The fix requires v1.79.3 or newer. Per the vulnerabilityFixReport, update to v1.82.0: go get google.golang.org/grpc@v1.82.0
  • HIGH - golang.org/x/net v0.50.0 still carries multiple unresolved advisories: (1) CVE-2026-33814 - HTTP/2 infinite loop DoS when SETTINGS_MAX_FRAME_SIZE=0 (CVSS HIGH AV:N/AC:L); (2) CVE-2026-39821 - IDNA privilege escalation allowing access controls to be bypassed via Punycode-encoded labels (CVSS HIGH C:H/I:H). The new version v0.50.0 does NOT fix these. Per the vulnerabilityFixReport, update to v0.56.0: go get golang.org/x/net@v0.56.0
  • HIGH - go.opentelemetry.io/otel/sdk v1.41.0 (CVE-2026-39883): BSD kenv command PATH hijacking enabling arbitrary code execution on BSD/Solaris platforms (CVSS:4.0 VC:H/VI:H/VA:H). The new version v1.41.0 does NOT fully resolve this (it persists as an advisory). Per the vulnerabilityFixReport, update to v1.44.0: go get go.opentelemetry.io/otel/sdk@v1.44.0
  • HIGH - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp and go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0 (GHSA-w8rr-5gcm-pp58 / CVE-2026-39882): OTLP HTTP exporters read unbounded HTTP response bodies enabling memory exhaustion/OOM if the collector endpoint is attacker-controlled or subject to MITM. Both old and new versions are affected. Per the vulnerabilityFixReport, update both to v1.44.0: go get go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v1.44.0 and go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v1.44.0

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 3e23e36, performed at: 2026-07-08T12:18:57Z

Found this helpful? Give it a 👍 or 👎 reaction!

migmartri added a commit to migmartri/chainloop that referenced this pull request Jul 9, 2026
Combined upgrade of the extras/dagger module dependencies to resolve
all four open security advisories in a single change, since the
individual bot PRs (chainloop-dev#3273, chainloop-dev#3274, chainloop-dev#3275, chainloop-dev#3276) conflict with each
other by modifying the same go.mod lines.

Advisories resolved:
- GHSA-p77j-4mvh-x3m3 (CRITICAL): gRPC-Go authorization bypass via
  missing leading slash in :path. Fixed by grpc v1.80.0 (>= v1.79.3).
- GHSA-mh2q-q3fh-2475 (HIGH): OpenTelemetry-Go baggage header DoS.
  Fixed by OTel v1.43.0 (>= v1.41.0).
- GHSA-hfvc-g4fc-pqhx (HIGH): OpenTelemetry-Go BSD kenv PATH hijack.
  Fixed by OTel SDK v1.43.0.
- GO-2026-5026 (HIGH): golang.org/x/net idna Punycode bypass.
  Fixed by x/net v0.55.0.

Verification performed:
- dagger develop (codegen) succeeds
- go build ./... compiles
- go vet ./... passes
- golangci-lint run: 0 issues
- go mod verify: all modules verified
- dagger call loads and instantiates the module
- with-instance function executes
- init function executes (fails at auth layer, not code)
- init --enterprise pulls enterprise image and executes

🤖 _Posted by Maximus bot on behalf of @migmartri_
migmartri added a commit to migmartri/chainloop that referenced this pull request Jul 9, 2026
Combined upgrade of the extras/dagger module dependencies to resolve
all four open security advisories in a single change, since the
individual bot PRs (chainloop-dev#3273, chainloop-dev#3274, chainloop-dev#3275, chainloop-dev#3276) conflict with each
other by modifying the same go.mod lines.

Advisories resolved:
- GHSA-p77j-4mvh-x3m3 (CRITICAL): gRPC-Go authorization bypass via
  missing leading slash in :path. Fixed by grpc v1.80.0 (>= v1.79.3).
- GHSA-mh2q-q3fh-2475 (HIGH): OpenTelemetry-Go baggage header DoS.
  Fixed by OTel v1.43.0 (>= v1.41.0).
- GHSA-hfvc-g4fc-pqhx (HIGH): OpenTelemetry-Go BSD kenv PATH hijack.
  Fixed by OTel SDK v1.43.0.
- GO-2026-5026 (HIGH): golang.org/x/net idna Punycode bypass.
  Fixed by x/net v0.55.0.

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez <migmartri@gmail.com>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants