Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.
Published: 2026-06-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenTelemetry-Go's baggage parsing logic was altered in versions 1.41.0 and 1.43.0 to remove a maximum length check on raw header values. As a result, the Parse function can now process baggage headers of arbitrary size. This uncontrolled consumption of resources leads to application slowdown or crashes and is classified as a denial‑of‑service vulnerability under CWE‑789.

Affected Systems

Impact hits the Go OpenTelemetry library, specifically the otel/baggage and otel/propagation packages. Versions 1.41.0 and 1.43.0 carry the flaw. The issue is resolved in subsequent releases, 1.42.0 and 1.44.0, so any deployments still using the affected versions are at risk.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate likelihood of successful exploitation. No EPSS score is available, and the flaw is not in the CISA KEV list. Attackers could inject oversized baggage headers via HTTP requests or other propagation mechanisms that the library processes, causing the send‑receive stack to allocate excessive memory and generate repeated error logs. If the application has publicly exposed baggage headers, an external hostile client could repeatedly send such requests to exhaust resources.

Generated by OpenCVE AI on June 4, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenTelemetry-Go 1.42.0 or newer, which restores raw header length checks.
  • Configure maximum HTTP header size or enforce header length limits at the networking layer to prevent large baggage headers from reaching the application.
  • Enable logging throttling or disable detailed error logging for baggage parsing to curb log amplification during an attack.

Generated by OpenCVE AI on June 4, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5wrp-cwcj-q835 opentelemetry-go's baggage parsing no longer caps raw header length
History

Thu, 04 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.
Title OpenTelemetry-Go's baggage parsing no longer caps raw header length
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T15:46:11.923Z

Reserved: 2026-04-17T16:34:45.526Z

Link: CVE-2026-41178

cve-icon Vulnrichment

Updated: 2026-06-04T15:45:59.567Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T16:16:37.297

Modified: 2026-06-04T17:16:32.550

Link: CVE-2026-41178

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T16:30:06Z

Weaknesses