Summary
The five OpenTelemetry packages pinned in eng/packages/ProjectTemplates.props are at version 1.14.0, which is vulnerable to three security advisories published April 23, 2026:
- GHSA-g94r-2vxg-569j — Excessive memory allocation parsing OTel propagation headers (
OpenTelemetry.Api, patched in 1.15.3)
- GHSA-mr8r-92fq-pj8p — Unbounded
grpc-status-details-bin parsing in OTLP/gRPC retry (OpenTelemetry.Exporter.OpenTelemetryProtocol, patched in 1.15.3)
- GHSA-q834-8qmm-v933 — OTLP exporter reads unbounded HTTP response bodies (
OpenTelemetry.Exporter.OpenTelemetryProtocol, patched in 1.15.2)
Proposed fix in eng/packages/ProjectTemplates.props:
<PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.15.3" />
<PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.15.3" />
<PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.15.3" />
<PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.15.3" />
<PackageVersion Include="OpenTelemetry.Instrumentation.Runtime" Version="1.15.3" />
This is a template-only version update; no shipped library APIs change.
Summary
The five OpenTelemetry packages pinned in
eng/packages/ProjectTemplates.propsare at version1.14.0, which is vulnerable to three security advisories published April 23, 2026:OpenTelemetry.Api, patched in 1.15.3)grpc-status-details-binparsing in OTLP/gRPC retry (OpenTelemetry.Exporter.OpenTelemetryProtocol, patched in 1.15.3)OpenTelemetry.Exporter.OpenTelemetryProtocol, patched in 1.15.2)Proposed fix in
eng/packages/ProjectTemplates.props:This is a template-only version update; no shipped library APIs change.