149 matches found
CVE-2026-50271
CVE-2026-50271 affects the Datadog dd-trace-py Python APM client (prior to 4.8.2). The issue is improper parsing of W3C baggage headers, failing to enforce DD_TRACE_BAGGAGE_MAX_ITEMS/MAX_BYTES on the extract path. A remote, unauthenticated attacker can send baggage headers with an arbitrarily lar...
CVE-2026-50274
Datadog dd-trace-go (Go client library for Datadog APM/ profiling/ security monitoring) is affected prior to version 2.8.1 due to improper enforcement of DD_TRACE_BAGGAGE_MAX_ITEMS/MAX_BYTES on the baggage header extract path. A remote, unauthenticated attacker can send HTTP requests with an exce...
CVE-2026-50272
CVE-2026-50272 affects dd-trace for Node.js (pre-5.100.0). The issue occurs in W3C baggage propagation: baggage headers are parsed without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES during extraction in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing...
CVE-2026-50272 dd-trace: Improper parsing of W3C baggage headers may lead to DoS
dd-trace is the Datadog APM client for Node.js. Prior to 5.100.0, W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/textmap.js parsed incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on...
CVE-2026-48504
OpenTelemetry Rust (CVE-2026-48504) concerns BaggagePropagator::extract_with_context in opentelemetry_sdk. In 0.32.0 and earlier, it did not enforce W3C Baggage size limits before parsing an inbound baggage header, allowing an attacker-controlled header to trigger unnecessary CPU work and short-l...
CVE-2026-48504 OpenTelemetry Rust: Unbounded memory allocation in W3C Baggage propagation
OpenTelemetry Rust is the Rust OpenTelemetry implementation. In 0.32.0 and earlier, BaggagePropagator::extractwithcontext in opentelemetrysdk did not enforce W3C Baggage size limits before parsing an inbound baggage header, so a large attacker-controlled header could cause unnecessary CPU work an...
CVE-2026-50273
Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on extraction, allowing a remote...
CVE-2026-50273 Datadog .NET Tracer: Improper parsing of W3C baggage headers may lead to DoS
Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on extraction, allowing a remote...
EUVD-2026-45243
Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on extraction, allowing a remote...
CVE-2026-50273
Datadog .NET Tracer (dd-trace-dotnet) is affected prior to version 3.43.0 by CVE-2026-50273 due to improper parsing of W3C baggage headers. The extraction path does not enforce DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES, allowing a remote unauthenticated attacker to send a header wi...
CVE-2026-50273 Datadog .NET Tracer: Improper parsing of W3C baggage headers may lead to DoS
Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on extraction, allowing a remote...
dd-trace-rb: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
GHSA-P5F6-RCCC-JV98 dd-trace-rb: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
dd-trace-go: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
GHSA-74J5-XF3V-CRQ8 dd-trace-go: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
dd-trace-dotnet: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
GHSA-38WR-VPC7-2MP4 dd-trace-dotnet: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
GHSA-WXQQ-GCQ8-C443 dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
NPM: dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS
NPM: dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS vulnerability discovered by ? in WordPress Npm dd-trace versions 5.100.0...