Lucene search
+L

46 matches found

CVE
CVE
added yesterday11 views

CVE-2026-50274

Datadog dd-trace-go (Go client library for Datadog APM/ profiling/ security monitoring) is affected prior to version 2.8.1 due to improper enforcement of DD_TRACE_BAGGAGE_MAX_ITEMS/MAX_BYTES on the baggage header extract path. A remote, unauthenticated attacker can send HTTP requests with an exce...

7.5CVSS5.4AI score0.00106EPSS
Exploits0References4
CVE
CVE
added yesterday15 views

CVE-2026-50272

CVE-2026-50272 affects dd-trace for Node.js (pre-5.100.0). The issue occurs in W3C baggage propagation: baggage headers are parsed without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES during extraction in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing...

7.5CVSS5.5AI score0.00106EPSS
Exploits0References4
Cvelist
Cvelist
added yesterday29 views

CVE-2026-50272 dd-trace: Improper parsing of W3C baggage headers may lead to DoS

dd-trace is the Datadog APM client for Node.js. Prior to 5.100.0, W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/textmap.js parsed incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on...

7.5CVSS0.00106EPSS
Exploits0References4
NVD
NVD
added yesterday7 views

CVE-2026-50273

Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on extraction, allowing a remote...

7.5CVSS0.00106EPSS
Exploits0References4
CVE
CVE
added yesterday11 views

CVE-2026-50273

Datadog .NET Tracer (dd-trace-dotnet) is affected prior to version 3.43.0 by CVE-2026-50273 due to improper parsing of W3C baggage headers. The extraction path does not enforce DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES, allowing a remote unauthenticated attacker to send a header wi...

7.5CVSS5.4AI score0.00106EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 3 days ago11 views

dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS

Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...

7.5CVSS6.1AI score0.00106EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 6:40 p.m.10 views

opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation

Summary BaggagePropagator::extractwithcontext in opentelemetrysdk did not enforce the W3C Baggage size limits before parsing an inbound baggage header. A large attacker-controlled header could cause unnecessary CPU work and short-lived heap allocations while parsing entries that would later be...

5.3CVSS5.9AI score0.00096EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.10 views

PT-2026-52642

Name of the Vulnerable Software and Affected Versions opentelemetry sdk versions prior to 0.32.1 Description The BaggagePropagator::extract with context function in the opentelemetry sdk fails to enforce W3C Baggage size limits before parsing an inbound baggage header. An attacker can provide a...

5.3CVSS5.9AI score0.00096EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/22 4:52 p.m.35 views

CVE-2026-54285 opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were...

5.3CVSS0.00238EPSS
Exploits0References1
OSV
OSV
added 2026/06/22 4:52 p.m.4 views

CVE-2026-54285 opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were...

5.3CVSS6AI score0.00238EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/06/04 2:38 p.m.11 views

CVE-2026-41178

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue...

5.3CVSS5.4AI score0.00237EPSS
Exploits0
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/21 3:41 p.m.7 views

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Server-Side Request Forgery in LangSmith [CVE-2026-25528]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Server-Side Request Forgery in LangSmith, due to a flaw allowing the injection of arbitrary apiurl values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints CVE-2026-25528...

5.8CVSS7.3AI score0.00282EPSS
Exploits0Affected Software1
Snyk
Snyk
added 2026/04/23 9:43 p.m.6 views

Memory Allocation with Excessive Size Value

Overview OpenTelemetry.Extensions.Propagators is a package containing propagator formats for OpenTelemetry .NET. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the processing of propagation headers such as baggage, B3, and Jaeger. An attacker ca...

6.9CVSS5.5AI score0.00458EPSS
Exploits0References2
Microsoft CVE
Microsoft CVE
added 2026/04/11 8:3 a.m.10 views

OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

...

7.5CVSS5.8AI score0.00435EPSS
Exploits1
Tenable Nessus
Tenable Nessus
added 2026/04/09 12:0 a.m.2 views

Linux Distros Unpatched Vulnerability : CVE-2026-29181

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value...

7.5CVSS5.8AI score0.00435EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/07 10:12 p.m.2 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains...

8.7CVSS5.8AI score0.00435EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/07 10:12 p.m.2 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains...

8.7CVSS5.8AI score0.00435EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/07 10:12 p.m.3 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains...

8.7CVSS5.8AI score0.00435EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/07 10:12 p.m.1 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains...

8.7CVSS5.8AI score0.00435EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/07 10:12 p.m.8 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains...

8.7CVSS5.8AI score0.00435EPSS
Exploits1References2
Rows per page
Query Builder