PT-2026-52642 · Unknown · Opentelemetry Sdk
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-48504
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
opentelemetry sdk versions prior to 0.32.1
Description
The
BaggagePropagator::extract with context() function in the opentelemetry sdk fails to enforce W3C Baggage size limits before parsing an inbound baggage header. An attacker can provide a large header to cause excessive CPU usage and short-lived heap allocations during the parsing of entries that are subsequently discarded by the SDK storage limits. This can lead to a denial-of-service condition for services accepting untrusted propagation headers, particularly if transport-level header limits are absent or exceed W3C specifications.Recommendations
Upgrade to version 0.32.1 or later.
As a temporary workaround, reject or limit inbound
baggage headers larger than 8192 bytes at a proxy, gateway, middleware layer, or custom carrier boundary before invoking OpenTelemetry propagation extraction.Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Opentelemetry Sdk