OpenTelemetryApi Denial of Service via Tracing Headers, CVE-2025-27513 (High)

Listen to this Post

The vulnerability stems from how the OpenTelemetry.Api package versions 1.10.0 to 1.11.1 processes `tracestate` and `traceparent` HTTP headers. Even if an application does not actively use trace context propagation, the internal parsing logic within the `TraceContextPropagator.Extract` method can be forced into excessive CPU consumption when it encounters specially crafted headers, particularly those containing duplicate keys in the `tracestate` list . The library attempts to parse and validate these headers, but a lack of efficient bounds checking or de-duplication in the parsing routine leads to a resource exhaustion scenario. An attacker can send a single HTTP request with a maliciously formed `tracestate` header to trigger this high CPU usage, effectively creating a Denial of Service (DoS) condition without requiring authentication . This impacts any web-accessible application or backend service using the affected package versions that processes incoming HTTP requests, as the headers are processed automatically by the telemetry middleware.

dailycve form:

Platform: OpenTelemetry .NET
Version: 1.10.0 – 1.11.1
Vulnerability : Resource Exhaustion DoS
Severity: High (7.5 CVSS)
date: March 5, 2025

Prediction: Patch already available (1.11.2)

What Undercode Say:

Analytics:

The vulnerability is triggered by a specific HTTP header, not complex payloads. The attack vector is network-based with low complexity, requiring no privileges or user interaction . The primary impact is on availability, causing high CPU usage that leads to latency and downtime. This is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) .

Simulate a basic check for vulnerable package version in a .csproj file
grep -i "PackageReference Include=\"OpenTelemetry.Api\"" myproject.csproj
Check the actual installed version in a project
dotnet list package --include-transitive | findstr OpenTelemetry.Api

How Exploit:

An attacker exploits this by sending an HTTP request containing a malicious `tracestate` header to a vulnerable endpoint. The exploit does not require authentication. A proof-of-concept can be as simple as a curl command with a crafted header containing many duplicate keys to maximize CPU impact .

Example of a potentially malicious request (conceptual)
curl -H "tracestate: key1=value1,key1=value1,key1=value1,key1=value1,key1=value1" http://vulnerable-target.com/api/endpoint
The exploit relies on the parsing logic of the specific library version.

Protection from this CVE:

The primary and most effective protection is to immediately upgrade the `OpenTelemetry.Api` package to version 1.11.2 or later . There are no known effective workarounds other than patching, as the header processing is often an integral part of the telemetry middleware that cannot be easily disabled without impacting observability . Ensure all applications using the transitive dependency are updated.

Patch command for .NET projects
dotnet add package OpenTelemetry.Api --version 1.11.2
Verify the update
dotnet list package --include-transitive | findstr OpenTelemetry.Api

Impact:

Successful exploitation leads to a Denial of Service. The application becomes unresponsive or severely degraded due to 100% CPU core consumption . This results in increased latency for all users, failed requests, and potential downtime for the service . The impact is on availability, with no direct effect on data confidentiality or integrity .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top