PT-2026-60363 · Go · Github.Com/Datadog/Dd-Trace-Go+1
Publicado
2026-07-15
·
Atualizado
2026-07-15
·
CVE-2026-50274
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Impact
Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DD TRACE BAGGAGE MAX ITEMS (default 64) and DD TRACE BAGGAGE MAX BYTES (default 8192) limits were applied only to baggage injection, not extraction. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs (or a single very large value). The tracer allocates a hash-map entry for each pair on every request, causing unbounded CPU and memory consumption and enabling a remote Denial of Service against any HTTP service that has the baggage propagation style enabled.
The baggage propagation style is enabled by default in most affected tracers, so any internet-facing service that has been instrumented with an affected tracer version is exposed unless the propagation style has been explicitly narrowed.
Patches
This is resolved in version 2.8.1 and later of the
dd-trace-go library.Workarounds
If users cannot upgrade immediately:
- Disable
baggageextraction by removingbaggagefromDD TRACE PROPAGATION STYLE(orDD TRACE PROPAGATION STYLE EXTRACTif set independently). - Cap the maximum HTTP request header size at an upstream proxy or web server (for example, Apache
LimitRequestFieldSize, Nginxlarge client header buffers, Envoymax request headers kb).
Resources
Related upstream advisories:
opentelemetry-go GHSA-mh2q-q3fh-2475
opentelemetry-dotnet GHSA-g94r-2vxg-569j
Correção
Allocation of Resources Without Limits
Resource Exhaustion
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Github.Com/Datadog/Dd-Trace-Go
Github.Com/Datadog/Dd-Trace-Go/V2