CVE-2025-27513

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Api versions 1.10.0 through 1.11.1

Description A vulnerability in OpenTelemetry.Api could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header. Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.

Recommendations To resolve the issue, upgrade to OpenTelemetry.Api version 1.11.2 by running the command dotnet add package OpenTelemetry --version 1.11.2. For OpenTelemetry .NET Automatic Instrumentation, upgrade to version 1.11.0. As a temporary workaround, consider restricting access to the vulnerable OpenTelemetry.Api package until a patch is available. Avoid using the tracestate and traceparent headers in HTTP requests until the issue is resolved.