You may have seen a recent Node.js security advisory and related coverage discussing a potential denial-of-service issue involving async_hooks. OpenTelemetry (and other APM tools) were mentioned because we rely on AsyncLocalStorage for context propagation.
To be clear: this is not a bug or vulnerability in OpenTelemetry. The issue ultimately lies in applications and frameworks that rely on unspecified stack space exhaustion behavior for availability. In Node.js versions before 24.x, AsyncLocalStorage is implemented on top of async_hooks, which - when combined with this unsafe assumption — made the edge case easier to reproduce.

OpenTelemetry's platform is an observability framework, offering insights into distributed tracing, metrics collection, and log management for cloud-native applications. Through documentation, tutorials, and community contributions, OpenTelemetry provides insights into instrumenting applications to monitor performance and troubleshoot issues. Developers and DevOps teams can learn about distributed tracing standards, telemetry data formats, and integration with observability tools to gain visibility into complex distributed systems.

OpenTelemetry

OpenTelemetry clarifies that a recent Node.js denial-of-service advisory involving async_hooks is not a vulnerability in OpenTelemetry itself. The issue stems from applications relying on unspecified stack space exhaustion behavior. Node.js has fixed this in version 20.20.0 and newer, but the fix won't be backported to Node.js 18. Users should upgrade to Node.js 20+ as the recommended mitigation, with no OpenTelemetry-specific changes required.

OpenTelemetry JS Statement on Node.js DOS Mitigation