Description
The import-in-the-middle loader used by @opentelemetry/instrumentation works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes user-supplied input directly to an import() function.
Recommendation
Update the @opentelemetry/instrumentation package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.40.0, < 0.41.2
- Patched version(s): 0.41.2
References
Related Issues
- Nuxt OG Image vulnerable to Server-Side Request Forgery via user-controlled parameters - Vulnerability
- Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction - CVE-2026-31828
- Authorization Bypass Through User-Controlled Key in url-parse - CVE-2022-0686
- Authorization Bypass Through User-Controlled Key in urijs - CVE-2022-0613
You might also like:
- Tags:
- npm
- @opentelemetry/instrumentation
Anything's wrong? Let us know Last updated on August 18, 2023