2 matches found
CVE-2026-59892 OpenTelemetry JavaScript: Denial of service in `JaegerPropagator` via unhandled exception on a malformed header
OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx- HTTP header values with decodeURIComponent without handling decode errors, allowing an unauthenticated remote attacker to send a malformed...
CVE-2026-59892
Summary: OpenTelemetry JavaScript’s JaegerPropagator (via @opentelemetry/propagator-jaeger) decodes uber-trace-id and uberctx-* headers with decodeURIComponent() without handling decode errors prior to 2.9.0, enabling an unauthenticated attacker to send a malformed percent-encoded value that resu...