Description
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. Parsing oversized baggage causes memory allocation proportional to the header size without any cap. This vulnerability is fixed in 2.8.0.
Severity (CVSS)
| Base score | 5.3 |
|---|---|
| Severity | Medium |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| Provided by | CNA |
Weaknesses
- CWE-770 — CWE-770: Allocation of Resources Without Limits or Throttling
Affected products
| Vendor | Product | Versions |
|---|---|---|
| open-telemetry | opentelemetry-js | < 2.8.0 |
References
Generated from the official CVE List on 23 Jun 2026 10:05 UTC.