Listen to this Post
The vulnerability resides in the `W3CBaggagePropagator.extract()` method of the `@opentelemetry/core` package. This method is responsible for parsing inbound HTTP headers that carry W3C Baggage data, which are used to propagate context across services. The W3C Baggage specification recommends limiting the total baggage size to 8,192 bytes and the number of entries to 180. However, the `extract()` method does not enforce any of these limits, while the outbound `inject()` method does.
When an attacker sends an oversized `baggage` header, the `extract()` method proceeds to parse it without any caps. This parsing involves splitting the header string into individual entry objects, which causes memory allocation that is proportional to the size of the input. For a sufficiently large header (e.g., thousands of bytes containing many delimiters), the allocation can become excessive. The method does not apply the recommended size or entry limits, meaning there is no boundary to the memory footprint during this parsing phase.
For most Node.js deployments, the practical availability impact is limited. Node.js enforces a default `–max-http-header-size` of 16,384 bytes for the total combined size of all HTTP headers, which prevents an attacker from delivering a truly massive `baggage` header before the propagator is ever reached. Furthermore, by the time the header reaches the propagator, it is already stored in memory by the underlying HTTP parser, so the additional allocation is merely the overhead of splitting the existing string into smaller objects, not an unbounded network read.
Nevertheless, the risk becomes significantly higher when the transport layer imposes no size limits. This includes scenarios such as non-HTTP transports (messaging systems, custom `TextMapGetter` implementations) or deployments where `–max-http-header-size` has been raised to a large value. In these environments, an attacker can directly supply an oversized baggage header, leading to a denial-of-service condition through excessive memory consumption.
The issue was assigned CVE-2026-54285 with a Moderate severity rating. It was discovered by tonghuaroot and fixed in `@opentelemetry/core` version 2.8.0 and later. The remediation enforces the W3C Baggage limits at the propagator level: maximum total size of 8,192 bytes, maximum of 180 entries, and a per-entry size cap of 4,096 bytes. Headers exceeding these limits are truncated at the point the limit is reached.
DailyCVE Form:
Platform: Node.js OpenTelemetry
Version: < 2.8.0
Vulnerability: Unbounded memory allocation
Severity: Moderate
date: 2026-06-12
Prediction: 2026-06-12 (2.8.0)
What Undercode Say:
Check currently installed version of @opentelemetry/core npm list @opentelemetry/core A vulnerable version (e.g., 2.7.1) will output something like: └── @opentelemetry/[email protected] Simulate an oversized W3C Baggage header (this is a conceptual example) Note: Actual exploitation would involve sending a very long 'baggage' HTTP header. Update the package to the fixed version (2.8.0 or later) npm install @opentelemetry/core@^2.8.0 Verify the updated version npm list @opentelemetry/core Expected output: @opentelemetry/[email protected]
Exploit:
An attacker sends an HTTP request (or message via a non-HTTP transport) containing a `baggage` header that exceeds the W3C recommended limits. For example, a header with 200 entries or a total size of 20,000 bytes. The `W3CBaggagePropagator.extract()` method attempts to parse this header without any enforcement of size or entry limits, causing the Node.js process to allocate memory proportional to the header size. Repeated requests with such oversized headers can lead to excessive memory consumption, potentially causing the application to crash or become unresponsive (denial of service).
Protection:
- Update the package to version 2.8.0 or later:
`npm install @opentelemetry/core@^2.8.0`
- Enforce HTTP header size limits at the server or gateway level (e.g., Node.js defaults to 16 KB, which mitigates external attacks).
- For non-HTTP transports receiving baggage from untrusted sources, validate input size before passing it to the propagator.
Impact:
- Availability: Repeated exploitation can cause excessive memory allocation, leading to application instability or crash (denial of service).
- Risk level: Moderate in typical Node.js HTTP deployments due to the default 16 KB header limit, but higher in environments without transport-layer size restrictions (non-HTTP transports or raised limits).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
