Impact
The vulnerability resides in the W3CBaggagePropagator.extract() function of @opentelemetry/core, which fails to enforce the W3C Baggage specification limits on inbound HTTP headers. When an attacker sends a request containing an oversized baggage header, the library allocates memory proportional to the header size without any cap, potentially exhausting the process memory. This can lead to application crashes or degraded service, an indicator of a denial-of-service condition. The weakness is identified as uncontrolled resource consumption (CWE-770).
Affected Systems
Applications built with the open‑telemetry opentelemetry‑js client before version 2.8.0 are affected. The fix was introduced in 2.8.0, so any deployment using a prior version of opentelemetry‑js or of @opentelemetry/core is vulnerable.
Risk and Exploitability
The CVSS score of 5.3 reflects moderate severity; the EPSS score is not available, so the likelihood of exploitation cannot be quantified from public data. The vulnerability was not listed in CISA’s KEV catalog, indicating no documented active exploitation at this time. An attacker can trigger the issue by sending a crafted HTTP request containing a very large baggage header, subject to network latency and hosting environment constraints. If the application is exposed to untrusted traffic, the risk is that repeated requests could degrade or interrupt service for legitimate users.
OpenCVE Enrichment
Github GHSA