opentelemetry-go-contrib is vulnerable to Denial of Service. The handler wrapper adds labels that have unbound cardinality. An attacker can send malicious requests which leads to a memory exhaustion.
github.com/advisories/GHSA-cg3q-j54f-5p7p
github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65
github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9
github.com/open-telemetry/opentelemetry-go-contrib/pull/4277
github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0
github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh
github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr
github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223
github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159
lists.fedoraproject.org/archives/list/[email protected]/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/