OpenTelemetry‑Go libraries from version 1.36.0 through 1.40.0 contain a flaw in the handling of multi‑value baggage headers. The extraction logic parses each header value separately and then aggregates all entries, which allows an attacker to send many baggage: header lines. Even though each individual value is limited to 8192 bytes, the cumulative effect can generate a large number of temporary objects, leading to excessive CPU usage and memory allocation. This results in a denial‑of‑service condition for the service that processes the headers, without exposing any confidential data or elevating privileges.

The vulnerability affects the OpenTelemetry‑Go package distributed by the Open Telemetry project. Systems that embed this Go library in their monitoring or instrumentation services and accept incoming baggage headers are at risk. Specifically, versions 1.36.0 through 1.40.0 are affected; versions 1.41.0 and later contain the fix.

The CVSS base score of 7.5 reflects a high severity, while the EPSS score of less than 1% indicates a low probability of active exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation. The attack vector is not explicitly stated in the CVE description; it is inferred that an attacker would need to deliver crafted baggage headers over HTTP or a compatible transport to a service that ingests baggage data. Once triggered, the target experiences high CPU consumption and memory pressure, potentially denying legitimate traffic.