CVE-2026-54285

Name of the Vulnerable Software and Affected Versions @opentelemetry/core versions prior to 2.8.0

Description The W3CBaggagePropagator.extract() function in @opentelemetry/core fails to enforce size limits when parsing inbound baggage HTTP headers. While the W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries, these limits were only applied to the outbound inject() path. Consequently, parsing oversized baggage leads to memory allocation proportional to the header size. The risk is increased in deployments where transport-layer limits are absent, such as non-HTTP transports, custom TextMapGetter implementations, or environments where the Node.js --max-http-header-size has been increased.

Recommendations Update to version 2.8.0 or later. Ensure header size limits are configured at the server or gateway level. For non-HTTP transports receiving baggage from untrusted sources, validate input size before passing it to the propagator.