Description
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. Parsing oversized baggage causes memory allocation proportional to the header size without any cap. This vulnerability is fixed in 2.8.0.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the W3CBaggagePropagator.extract() function of @opentelemetry/core, which fails to enforce the W3C Baggage specification limits on inbound HTTP headers. When an attacker sends a request containing an oversized baggage header, the library allocates memory proportional to the header size without any cap, potentially exhausting the process memory. This can lead to application crashes or degraded service, an indicator of a denial-of-service condition. The weakness is identified as uncontrolled resource consumption (CWE-770).

Affected Systems

Applications built with the open‑telemetry opentelemetry‑js client before version 2.8.0 are affected. The fix was introduced in 2.8.0, so any deployment using a prior version of opentelemetry‑js or of @opentelemetry/core is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity; the EPSS score is not available, so the likelihood of exploitation cannot be quantified from public data. The vulnerability was not listed in CISA’s KEV catalog, indicating no documented active exploitation at this time. An attacker can trigger the issue by sending a crafted HTTP request containing a very large baggage header, subject to network latency and hosting environment constraints. If the application is exposed to untrusted traffic, the risk is that repeated requests could degrade or interrupt service for legitimate users.

Generated by OpenCVE AI on June 22, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade opentelemetry-js to version 2.8.0 or later to enforce inbound baggage size limits.
  • Ensure that any transitive dependencies, such as @opentelemetry/core, are also updated to a compatible 2.8.0 or newer release.
  • Restart the application or server to load the upgraded library and clear any pending resource allocations.

Generated by OpenCVE AI on June 22, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8988-4f7v-96qf OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-js
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-js

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. Parsing oversized baggage causes memory allocation proportional to the header size without any cap. This vulnerability is fixed in 2.8.0.
Title opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Subscriptions

Opentelemetry Opentelemetry-js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:11:07.708Z

Reserved: 2026-06-12T17:46:37.292Z

Link: CVE-2026-54285

cve-icon Vulnrichment

Updated: 2026-06-23T14:48:34.164Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T16:52:54Z

Links: CVE-2026-54285 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T20:45:04Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling