CRE-2025-0037

OpenTelemetry Collector panics on nil attribute value in Prometheus Remote Write translatorLow

Impact: 8/10

Mitigation: 4/10

CRE-2025-0037View on GitHub

CrashPrometheusOtel CollectorExporterPanicTranslationAttributeNil PointerKnown IssuePublic

Description

The OpenTelemetry Collector can panic due to a nil pointer dereference in the Prometheus Remote Write exporter. The issue occurs when attribute values are assumed to be strings, but the internal representation is nil or incompatible, leading to a runtime `SIGSEGV` segmentation fault and crashing the collector.

Cause

The Prometheus Remote Write translator (`createAttributes`) iterates over attribute maps using `.Range` and directly calls `.AsString()` on a `pcommon.Value` without checking its type or for nil values. If the internal protobuf-backed `AnyValue` is unset or incompatible, it triggers a Go panic.

Mitigation

• Upgrade to a release of `opentelemetry-collector-contrib` after v0.115.0 if available.
• Patch your local copy of `createAttributes()` to check `value.Type()` before calling `.AsString()`.
• Validate attributes in processors or before export using a custom transformation or sanitization pipeline.
• Add a panic recovery guard using the `memory_limiter` or `batch` processor (limited mitigation).

References

• https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/pkg/translator/prometheusremotewrite/helper.go
• https://github.com/open-telemetry/opentelemetry-collector/issues/9891