Listen to this Post
The vulnerability stems from how the OpenTelemetry.Api package versions 1.10.0 to 1.11.1 processes `tracestate` and `traceparent` HTTP headers. Even if an application does not actively use trace context propagation, the internal parsing logic within the `TraceContextPropagator.Extract` method can be forced into excessive CPU consumption when it encounters specially crafted headers, particularly those containing duplicate keys in the `tracestate` list . The library attempts to parse and validate these headers, but a lack of efficient bounds checking or de-duplication in the parsing routine leads to a resource exhaustion scenario. An attacker can send a single HTTP request with a maliciously formed `tracestate` header to trigger this high CPU usage, effectively creating a Denial of Service (DoS) condition without requiring authentication . This impacts any web-accessible application or backend service using the affected package versions that processes incoming HTTP requests, as the headers are processed automatically by the telemetry middleware.
dailycve form:
Platform: OpenTelemetry .NET
Version: 1.10.0 – 1.11.1
Vulnerability : Resource Exhaustion DoS
Severity: High (7.5 CVSS)
date: March 5, 2025
Prediction: Patch already available (1.11.2)
What Undercode Say:
Analytics:
The vulnerability is triggered by a specific HTTP header, not complex payloads. The attack vector is network-based with low complexity, requiring no privileges or user interaction . The primary impact is on availability, causing high CPU usage that leads to latency and downtime. This is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) .
Simulate a basic check for vulnerable package version in a .csproj file grep -i "PackageReference Include=\"OpenTelemetry.Api\"" myproject.csproj Check the actual installed version in a project dotnet list package --include-transitive | findstr OpenTelemetry.Api
How Exploit:
An attacker exploits this by sending an HTTP request containing a malicious `tracestate` header to a vulnerable endpoint. The exploit does not require authentication. A proof-of-concept can be as simple as a curl command with a crafted header containing many duplicate keys to maximize CPU impact .
Example of a potentially malicious request (conceptual) curl -H "tracestate: key1=value1,key1=value1,key1=value1,key1=value1,key1=value1" http://vulnerable-target.com/api/endpoint The exploit relies on the parsing logic of the specific library version.
Protection from this CVE:
The primary and most effective protection is to immediately upgrade the `OpenTelemetry.Api` package to version 1.11.2 or later . There are no known effective workarounds other than patching, as the header processing is often an integral part of the telemetry middleware that cannot be easily disabled without impacting observability . Ensure all applications using the transitive dependency are updated.
Patch command for .NET projects dotnet add package OpenTelemetry.Api --version 1.11.2 Verify the update dotnet list package --include-transitive | findstr OpenTelemetry.Api
Impact:
Successful exploitation leads to a Denial of Service. The application becomes unresponsive or severely degraded due to 100% CPU core consumption . This results in increased latency for all users, failed requests, and potential downtime for the service . The impact is on availability, with no direct effect on data confidentiality or integrity .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

