What did you do?
A dependency audit of TiCDC master shows that TiCDC currently resolves go.opentelemetry.io/otel/sdk v1.24.0 transitively.
The dependency path is:
github.com/pingcap/ticdc/pkg/etcd
go.etcd.io/etcd/server/v3/embed
go.opentelemetry.io/otel/sdk/resource
GitHub advisory GHSA-9h8m-3fm2-qjrq / CVE-2026-24051 reports arbitrary code execution via PATH hijacking in go.opentelemetry.io/otel/sdk. The follow-up advisory GHSA-hfvc-g4fc-pqhx / CVE-2026-39883 states that the earlier fix was incomplete for BSD/Solaris kenv, and lists go.opentelemetry.io/otel/sdk versions >= 1.15.0, <= 1.42.0 as vulnerable with 1.43.0 as the first patched version.
References:
What did you expect to see?
TiCDC should not depend on a vulnerable OpenTelemetry SDK version. The dependency graph should resolve go.opentelemetry.io/otel/sdk to v1.43.0 or later, together with the matching OpenTelemetry companion modules.
What did you see instead?
TiCDC resolves go.opentelemetry.io/otel/sdk v1.24.0, which is within the vulnerable version ranges. This leaves TiCDC builds exposed to the upstream OpenTelemetry SDK PATH hijacking vulnerability on affected platforms until the dependency is upgraded.
Versions of the cluster
Upstream TiDB cluster version (execute SELECT tidb_version(); in a MySQL client):
N/A - dependency vulnerability, not cluster-version specific.
Upstream TiKV version (execute tikv-server --version):
N/A - dependency vulnerability, not cluster-version specific.
TiCDC version (execute cdc version):
master before PR #4884, with go.opentelemetry.io/otel/sdk v1.24.0 in go.mod.
What did you do?
A dependency audit of TiCDC
mastershows that TiCDC currently resolvesgo.opentelemetry.io/otel/sdk v1.24.0transitively.The dependency path is:
GitHub advisory GHSA-9h8m-3fm2-qjrq / CVE-2026-24051 reports arbitrary code execution via PATH hijacking in
go.opentelemetry.io/otel/sdk. The follow-up advisory GHSA-hfvc-g4fc-pqhx / CVE-2026-39883 states that the earlier fix was incomplete for BSD/Solariskenv, and listsgo.opentelemetry.io/otel/sdkversions>= 1.15.0, <= 1.42.0as vulnerable with1.43.0as the first patched version.References:
What did you expect to see?
TiCDC should not depend on a vulnerable OpenTelemetry SDK version. The dependency graph should resolve
go.opentelemetry.io/otel/sdktov1.43.0or later, together with the matching OpenTelemetry companion modules.What did you see instead?
TiCDC resolves
go.opentelemetry.io/otel/sdk v1.24.0, which is within the vulnerable version ranges. This leaves TiCDC builds exposed to the upstream OpenTelemetry SDK PATH hijacking vulnerability on affected platforms until the dependency is upgraded.Versions of the cluster
Upstream TiDB cluster version (execute
SELECT tidb_version();in a MySQL client):N/A - dependency vulnerability, not cluster-version specific.Upstream TiKV version (execute
tikv-server --version):N/A - dependency vulnerability, not cluster-version specific.TiCDC version (execute
cdc version):master before PR #4884, with go.opentelemetry.io/otel/sdk v1.24.0 in go.mod.