CRE-2025-0037

OpenTelemetry Collector panics on nil attribute value in Prometheus Remote Write translatorLow

Impact: 8/10

Mitigation: 4/10

CRE-2025-0037View on GitHub

CrashPrometheusOtel CollectorExporterPanicTranslationAttributeNil PointerKnown IssuePublic

Description

The OpenTelemetry Collector can panic due to a nil pointer dereference in the Prometheus Remote Write exporter. The issue occurs when attribute values are assumed to be strings, but the internal representation is nil or incompatible, leading to a runtime `SIGSEGV` segmentation fault and crashing the collector.

Mitigation

- Upgrade to a release of `opentelemetry-collector-contrib` after v0.115.0 if available. - Patch your local copy of `createAttributes()` to check `value.Type()` before calling `.AsString()`. - Validate attributes in processors or before export using a custom transformation or sanitization pipeline. - Add a panic recovery guard using the `memory_limiter` or `batch` processor (limited mitigation).

References

• https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/pkg/translator/prometheusremotewrite/helper.go
• https://github.com/open-telemetry/opentelemetry-collector/issues/9891