GHSA-g94r-2vxg-569j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g94r-2vxg-569j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-g94r-2vxg-569j/GHSA-g94r-2vxg-569j.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-g94r-2vxg-569j
- Aliases
- Related
- Published
- 2026-04-23T21:43:53Z
- Modified
- 2026-04-28T10:59:58.138028349Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
- Details
-
Summary
The implementation details of the baggage, B3 and Jaeger processing code in the
OpenTelemetry.ApiandOpenTelemetry.Extensions.PropagatorsNuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application.Details
Exceeding Limits
BaggagePropagator.Inject<T>()does not enforce the length limit of8192characters if the injected baggage contains only one item.This change was introduced by #1048.
Excessive allocation
The following methods eagerly allocate intermediate arrays before applying size limits.
BaggagePropagator.Extract<T>()- this change was introduced by #1048.BaggagePropagator.Inject<T>()- this change was introduced by #1048.B3Propagator.Extract<T>()- this change was introduced by #533.B3Propagator.Extract<T>()- this change was introduced by #3244.JaegerPropagator.Extract<T>()- this change was introduced by #3309.
Impact
Excessively large propagation headers, particularly in degenerate/malformed cases that consist or large numbers of delimiter characters, can allocate excessive amounts of memory for intermediate storage of parsed content relative to the size of the original input.
Mitigation
HTTP servers often set maximum limits on the length of HTTP request headers, such as Internet Information Services (IIS) which sets a default limit of 16KB and nginx which sets a default limit of 8KB.
Workarounds
Possible workarounds include:
- Configuring appropriate HTTP request header limits.
- Disabling baggage and/or trace propagation.
Remediation
#7061 refactors the handling of baggage, B3 and Jaeger propagation headers to stop parsing eagerly when limits are exceeded and avoid allocating intermediate arrays.
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "cwe_ids": [ "CWE-789" ], "nvd_published_at": "2026-04-23T19:17:28Z", "github_reviewed_at": "2026-04-23T21:43:53Z" }- References
-
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j
- https://nvd.nist.gov/vuln/detail/CVE-2026-40894
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/3533
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/533
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061
- https://github.com/open-telemetry/opentelemetry-dotnet
- https://github.com/open-telemetry/opentelemetry-dotnet/releases/tag/core-1.15.3
Affected packages
NuGet / OpenTelemetry.Api
Package
- Name
- OpenTelemetry.Api
- View open source insights on deps.dev
- Purl
- pkg:nuget/OpenTelemetry.Api
Affected versions
1.*
NuGet / OpenTelemetry.Extensions.Propagators
Package
- Name
- OpenTelemetry.Extensions.Propagators
- View open source insights on deps.dev
- Purl
- pkg:nuget/OpenTelemetry.Extensions.Propagators