From a3d6d2336dfd15b741968e4fcef628102d3a5915 Mon Sep 17 00:00:00 2001
From: skobeltsyn <Konstantin@skobeltsyn.com>
Date: Mon, 25 May 2026 19:36:28 +0300
Subject: [PATCH] =?UTF-8?q?fix(#2387):=20bump=20opentelemetry-api=201.51.0?=
 =?UTF-8?q?=20=E2=86=92=201.62.0=20(W3C=20Baggage=20CVE)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dependabot alert #5: io.opentelemetry:opentelemetry-api <= 1.61.0
allows unbounded memory allocation and CPU consumption when parsing
oversized baggage headers in W3CBaggagePropagator, JaegerPropagator,
and OtTracePropagator. Because baggage auto-re-injects into outgoing
requests, a single malicious header fans out across the downstream
graph.

1.62.0 enforces caps consistent with the W3C Baggage spec at the
propagator level: 8,192 bytes total, 64 entries. Over-limit headers
are dropped at the cap point; already-extracted valid entries are
retained.

Practical exposure for Agents.KT is limited — we expose OpenTelemetry
only through the `:agents-kt-otel` adapter, and the adapter emits
spans rather than parsing inbound baggage. Risk applies to downstream
consumers who enable baggage propagation in their own SDK pipeline,
especially on non-HTTP transports where transport-layer header limits
don't apply.

The fix is a version bump:

- agents-kt-otel/build.gradle.kts: 1.51.0 → 1.62.0 on both the
  production `opentelemetry-api` dependency and the testImplementation
  `opentelemetry-sdk-trace`.
- gradle/verification-metadata.xml: refreshed via
  `./gradlew updateVerificationMetadata` for the four pinned OTel
  components (api, context, sdk-common, sdk-trace) plus the new
  transitive `opentelemetry-common` 1.62.0. Stale 1.51.0 entries
  removed so the metadata file remains the authoritative current state.

`./gradlew :agents-kt-otel:test`: 7/7 green. No API surface changes
between 1.51 and 1.62 affect our use; the adapter compiles + behaves
unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 agents-kt-otel/build.gradle.kts  |  7 +++--
 gradle/verification-metadata.xml | 48 +++++++++++++++++++-------------
 2 files changed, 33 insertions(+), 22 deletions(-)

diff --git a/agents-kt-otel/build.gradle.kts b/agents-kt-otel/build.gradle.kts
index 6186126..94ec17d 100644
--- a/agents-kt-otel/build.gradle.kts
+++ b/agents-kt-otel/build.gradle.kts
@@ -26,11 +26,14 @@ configurations.all {
 
 dependencies {
     api(project(":agents-kt-observability"))
-    api("io.opentelemetry:opentelemetry-api:1.51.0")
+    // #2387 — 1.62.0 patches CVE in W3C Baggage propagation (unbounded
+    // memory + CPU on oversized headers). Per-propagator caps at 8,192
+    // bytes / 64 entries. Affects 1.51.0..1.61.0; no API changes touch us.
+    api("io.opentelemetry:opentelemetry-api:1.62.0")
 
     testImplementation(kotlin("test"))
     testImplementation("org.jetbrains.kotlinx:kotlinx-coroutines-test:1.11.0")
-    testImplementation("io.opentelemetry:opentelemetry-sdk-trace:1.51.0")
+    testImplementation("io.opentelemetry:opentelemetry-sdk-trace:1.62.0")
 }
 
 kotlin {
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 2f2ddd4..f3835cb 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -161,36 +161,44 @@
             <sha256 value="d811cf9f118cc2cad130c9427ad55c174d4c0a6f1a00ac1ae1c9bcbec5c44b19" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.opentelemetry" name="opentelemetry-api" version="1.51.0">
-         <artifact name="opentelemetry-api-1.51.0.jar">
-            <sha256 value="ed88c2876e5a525ccbb56eb918d7955797b9a245f113d50b9798d1634a90951d" origin="Generated by Gradle"/>
+      <component group="io.opentelemetry" name="opentelemetry-api" version="1.62.0">
+         <artifact name="opentelemetry-api-1.62.0.jar">
+            <sha256 value="d58143928c049233653e6bf1282ff8a767ebdd5e6a82b3f336158c30e40b431d" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="opentelemetry-api-1.51.0.module">
-            <sha256 value="f8196944418778486c54fe32b6b2abde39df6eb946ceba7abd9eb13e4180817b" origin="Generated by Gradle"/>
+         <artifact name="opentelemetry-api-1.62.0.module">
+            <sha256 value="dec6654baca397db5b84253f955c72ee38ecc3fb54e0f6a40fdef65bfc0d05a4" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.opentelemetry" name="opentelemetry-context" version="1.51.0">
-         <artifact name="opentelemetry-context-1.51.0.jar">
-            <sha256 value="df4e308883ef2a2f28415140c5629901f72223f9ec713063f93395cff11bf4a1" origin="Generated by Gradle"/>
+      <component group="io.opentelemetry" name="opentelemetry-common" version="1.62.0">
+         <artifact name="opentelemetry-common-1.62.0.jar">
+            <sha256 value="d6310bebde67d65c1519696728d8604005315ed08ab14071956fc0826fd71815" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="opentelemetry-context-1.51.0.module">
-            <sha256 value="944f1c052c2702a9a7cff8d28d22554b08f031bae088faefadddc5fb27dc7aba" origin="Generated by Gradle"/>
+         <artifact name="opentelemetry-common-1.62.0.module">
+            <sha256 value="19c2d41eb14f1300dea3991a0895adedb6ddd8c64bb2579b84764525c6cd7f3d" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.opentelemetry" name="opentelemetry-sdk-common" version="1.51.0">
-         <artifact name="opentelemetry-sdk-common-1.51.0.jar">
-            <sha256 value="0454b7e14f09dbae3817b85c1b89bfe9ad9f3ae87f1aa8508689567ea5599921" origin="Generated by Gradle"/>
+      <component group="io.opentelemetry" name="opentelemetry-context" version="1.62.0">
+         <artifact name="opentelemetry-context-1.62.0.jar">
+            <sha256 value="8ec86c3609222b9b6307bf40154c1f1c288d1f18ada0155409e7797adbdbe517" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="opentelemetry-sdk-common-1.51.0.module">
-            <sha256 value="0e5d68af26195d626e60d9d50ccf4a31a54bbd1ebc73ed82683fa2b6371525cf" origin="Generated by Gradle"/>
+         <artifact name="opentelemetry-context-1.62.0.module">
+            <sha256 value="f5d687f2b74643ab7586c27e282d0207917cdcdb78bc7f34abeac066ff20e8a6" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.opentelemetry" name="opentelemetry-sdk-trace" version="1.51.0">
-         <artifact name="opentelemetry-sdk-trace-1.51.0.jar">
-            <sha256 value="5300c485d63e425925600f2daa9e7bbd9f81bd28dfc14a62922d9f46150fe730" origin="Generated by Gradle"/>
+      <component group="io.opentelemetry" name="opentelemetry-sdk-common" version="1.62.0">
+         <artifact name="opentelemetry-sdk-common-1.62.0.jar">
+            <sha256 value="bf9d13df9a50e49a5db664ba8ebfad79f73f03219d2ac6f6709d432f6896eba0" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="opentelemetry-sdk-trace-1.51.0.module">
-            <sha256 value="35b1a2ef58557ecd711897aaa83638ed15ed91e4aac77823dcb9220abb3b1513" origin="Generated by Gradle"/>
+         <artifact name="opentelemetry-sdk-common-1.62.0.module">
+            <sha256 value="927c186e1ee3530602902357ccdb88f4e01fe8de2935a75f86551da3459ba430" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
+      <component group="io.opentelemetry" name="opentelemetry-sdk-trace" version="1.62.0">
+         <artifact name="opentelemetry-sdk-trace-1.62.0.jar">
+            <sha256 value="fb6c0953b229a6da1db813135ae11a621bf9da56b7356c1e93049ed4b088c232" origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="opentelemetry-sdk-trace-1.62.0.module">
+            <sha256 value="cc640b9d9bcf6b2b03fcebf5ff726a414a8a93ce5f5ff39d7b760258380eca53" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="junit" name="junit" version="4.13.2">