46 matches found
CVE-2026-50274
Datadog dd-trace-go (Go client library for Datadog APM/ profiling/ security monitoring) is affected prior to version 2.8.1 due to improper enforcement of DD_TRACE_BAGGAGE_MAX_ITEMS/MAX_BYTES on the baggage header extract path. A remote, unauthenticated attacker can send HTTP requests with an exce...
CVE-2026-50272
CVE-2026-50272 affects dd-trace for Node.js (pre-5.100.0). The issue occurs in W3C baggage propagation: baggage headers are parsed without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES during extraction in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing...
CVE-2026-50272 dd-trace: Improper parsing of W3C baggage headers may lead to DoS
dd-trace is the Datadog APM client for Node.js. Prior to 5.100.0, W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/textmap.js parsed incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on...
CVE-2026-50273
Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on extraction, allowing a remote...
CVE-2026-50273
Datadog .NET Tracer (dd-trace-dotnet) is affected prior to version 3.43.0 by CVE-2026-50273 due to improper parsing of W3C baggage headers. The extraction path does not enforce DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES, allowing a remote unauthenticated attacker to send a header wi...
dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation
Summary BaggagePropagator::extractwithcontext in opentelemetrysdk did not enforce the W3C Baggage size limits before parsing an inbound baggage header. A large attacker-controlled header could cause unnecessary CPU work and short-lived heap allocations while parsing entries that would later be...
PT-2026-52642
Name of the Vulnerable Software and Affected Versions opentelemetry sdk versions prior to 0.32.1 Description The BaggagePropagator::extract with context function in the opentelemetry sdk fails to enforce W3C Baggage size limits before parsing an inbound baggage header. An attacker can provide a...
CVE-2026-54285 opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were...
CVE-2026-54285 opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were...
CVE-2026-41178
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Server-Side Request Forgery in LangSmith [CVE-2026-25528]
Summary IBM Watson Speech Services Cartridge is vulnerable to a Server-Side Request Forgery in LangSmith, due to a flaw allowing the injection of arbitrary apiurl values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints CVE-2026-25528...
Memory Allocation with Excessive Size Value
Overview OpenTelemetry.Extensions.Propagators is a package containing propagator formats for OpenTelemetry .NET. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the processing of propagation headers such as baggage, B3, and Jaeger. An attacker ca...
OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
...
Linux Distros Unpatched Vulnerability : CVE-2026-29181
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains...