GHSA-W9WP-H8WV-79JX

Vulnerability from github – Published: 2026-06-25 18:40 – Updated: 2026-06-25 18:40
VLAI
Summary
opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation
Details

Summary

BaggagePropagator::extract_with_context in opentelemetry_sdk did not enforce the W3C Baggage size limits before parsing an inbound baggage header. A large attacker-controlled header could cause unnecessary CPU work and short-lived heap allocations while parsing entries that would later be discarded by the SDK's baggage storage limits.

The SDK now applies limits aligned with the W3C Baggage limits:

  • 64 list-members
  • 8192 bytes total

Impact

Services that accept untrusted inbound propagation headers may experience increased per-request resource usage when processing oversized baggage headers. This can contribute to denial-of-service risk, especially when application or transport-level header limits are absent or configured above the W3C Baggage limits.

The impact is limited to availability. This issue does not expose telemetry data, modify telemetry data, or allow code execution.

Patches

Upgrade opentelemetry_sdk to version 0.32.1 or later.

Version 0.32.1 rejects baggage header values larger than 8192 bytes and limits extraction to the first 64 list-members.

## Workarounds

If upgrading immediately is not possible, reject or limit inbound baggage headers larger than 8192 bytes before invoking OpenTelemetry propagation extraction. This can be enforced at a proxy, gateway, middleware layer, or custom carrier boundary.

Resources

  • W3C Baggage limits: https://www.w3.org/TR/baggage/#limits
  • Related OpenTelemetry Java advisory: https://github.com/open-telemetry/opentelemetry-java/security/advisories/GHSA-rcgg-9c38-7xpx
  • Related OpenTelemetry Go advisory: https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475
  • CVE-2026-48504

Credit

tonghuaroot

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.32.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "opentelemetry_sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.32.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T18:40:04Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`BaggagePropagator::extract_with_context` in `opentelemetry_sdk` did not enforce the W3C Baggage size limits before parsing an inbound `baggage` header. A large attacker-controlled header could cause unnecessary CPU work and short-lived heap allocations while parsing entries that would later be discarded by the SDK\u0027s baggage storage limits.\n\nThe SDK now applies limits aligned with the W3C Baggage limits:\n\n  - 64 list-members\n  - 8192 bytes total\n\n## Impact\n\nServices that accept untrusted inbound propagation headers may experience increased per-request resource usage when processing oversized `baggage` headers. This can contribute to denial-of-service risk, especially when application or transport-level header limits are absent or configured above the W3C Baggage limits.\n \nThe impact is limited to availability. This issue does not expose telemetry data, modify telemetry data, or allow code execution.\n\n## Patches\n\nUpgrade `opentelemetry_sdk` to version `0.32.1` or later.\n\nVersion `0.32.1` rejects `baggage` header values larger than 8192 bytes and limits extraction to the first 64 list-members.\n\n  ## Workarounds\n\nIf upgrading immediately is not possible, reject or limit inbound `baggage` headers larger than 8192 bytes before invoking OpenTelemetry propagation extraction. This can be enforced at a proxy, gateway, middleware layer, or custom carrier boundary.\n\n## Resources\n\n  - W3C Baggage limits: https://www.w3.org/TR/baggage/#limits\n  - Related OpenTelemetry Java advisory: https://github.com/open-telemetry/opentelemetry-java/security/advisories/GHSA-rcgg-9c38-7xpx\n  - Related OpenTelemetry Go advisory: https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475\n  - CVE-2026-48504\n\n## Credit\n\ntonghuaroot",
  "id": "GHSA-w9wp-h8wv-79jx",
  "modified": "2026-06-25T18:40:05Z",
  "published": "2026-06-25T18:40:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-rust/security/advisories/GHSA-w9wp-h8wv-79jx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-rust"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…