Listen to this Post
The vulnerability resides in how the BaggagePropagator, B3Propagator, and `JaegerPropagator` within the `OpenTelemetry.Api` and `OpenTelemetry.Extensions.Propagators` NuGet packages parse propagation headers like baggage, b3, and uber-trace-id. The root cause is twofold. First, `BaggagePropagator.Inject` fails to enforce the 8192-character length limit when the injected baggage contains a single item, a regression introduced by pull request 1048. Second, and more critically, the extraction methods for all three propagators—BaggagePropagator.Extract, B3Propagator.Extract, and JaegerPropagator.Extract—perform “eager” parsing. This means they allocate intermediate in-memory arrays for parsing before any limit checks are applied. An attacker can craft degenerated, malformed headers (e.g., strings with an excessive number of delimiters) that, when processed, cause the application to allocate memory for oversized intermediate storage of the parsed content. This memory allocation is grossly disproportionate to the input size, quickly exhausting system memory and leading to a denial-of-service condition by crashing the consuming application or rendering it unresponsive. The issue was introduced via multiple pull requests: 1048, 533, 3244, and 3309.
Platform: OpenTelemetry NuGet
Version: 0.5.0 – 1.15.2
Vulnerability: Excessive memory allocation
Severity: Medium (CVSS 5.3)
Date: 2026-04-23
Prediction: Patch 2026-04-23
What Undercode Say:
Detect vulnerable OpenTelemetry NuGet packages in .NET project dotnet list package --vulnerable --include-transitive | findstr OpenTelemetry Check specific versions dotnet list package OpenTelemetry.Api --version dotnet list package OpenTelemetry.Extensions.Propagators --version
// Simulated vulnerable parsing logic (simplified)
public byte[] Extract(string headerValue) {
// Eager allocation without size limits
var delimiterPositions = new int[headerValue.Length / 2];
return delimiterPositions.Select(p => ProcessChunk(p)).ToArray();
}
Exploit:
POST /collect HTTP/1.1 Host: vulnerable-app.com baggage: key=value,,,,,,,<repeat delimiter ',' to overflow>
Protection:
- Upgrade `OpenTelemetry.Api` and `OpenTelemetry.Extensions.Propagators` to version 1.15.3 or later.
- Configure HTTP server header limits (e.g., IIS default 16KB, nginx default 8KB).
- Disable baggage and trace propagation if not required.
Impact:
Excessive memory allocation from parsing malformed headers causes application crashes, leading to availability loss for consuming services.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

