Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from Vendor (https://github.com/open-telemetry/opentelemetry-java).
CVSS VectorVendor: https://github.com/open-telemetry/opentelemetry-java
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1,593 maven packages depend on io.opentelemetry:opentelemetry-api (284 direct, 1,311 indirect)
- 250 maven packages depend on io.opentelemetry:opentelemetry-extension-trace-propagators (13 direct, 237 indirect)
Ecosystem-wide dependent count for version 1.62.0 and other introduced versions.
DescriptionCVE.org
Overview
A vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request.
Technical Details
W3CBaggagePropagatordid not enforce any limit on the total size or entry count of the
baggage header. The parser iterated character-by-character through the entire value regardless of length.
JaegerPropagatorandOtTracePropagatorhad the same gap in their respective baggage
extraction paths.
- The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; none of
these limits were enforced.
Impact
The practical availability impact for most deployments is limited. Every major Java HTTP server enforces its own header size limit (Tomcat, Jetty, Netty, Vert.x, and gRPC-Java all default to 8 KiB), constraining what an external attacker can deliver before the application is reached. The risk is higher when transport-layer limits are absent - e.g., a compromised internal service communicating over a non-HTTP or custom transport.
Remediation
Update to version 1.62.0 or later (#8380). The fix enforces limits consistent with the W3C Baggage specification at the propagator level:
- Maximum total baggage size: 8,192 bytes across all
baggageheader values - Maximum number of entries: 64
Headers that would exceed either limit are dropped at the point the limit is reached; already-extracted valid entries are retained.
Workarounds
Ensure HTTP header size limits are configured at the server or gateway level. Most Java HTTP servers enforce an 8 KiB header limit by default, which mitigates external attack vectors independently of this fix.
References
AnalysisAI
Unbounded memory allocation and CPU exhaustion in OpenTelemetry Java SDK's baggage propagation allows remote unauthenticated attackers to degrade or deny service by sending oversized baggage headers. Affected components - W3CBaggagePropagator, JaegerPropagator, and OtTracePropagator - all lacked enforcement of the W3C Baggage specification's recommended size and entry limits, causing character-by-character parsing of arbitrarily large inputs. A distinctive amplification risk exists: baggage is automatically re-injected into all outgoing requests, meaning a single malicious inbound payload can fan out DoS effects to downstream services that never directly received the original request. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Technical ContextAI
CWE-770 (Allocation of Resources Without Limits or Throttling) describes the root cause: the Parser class in io.opentelemetry.api.baggage.propagation iterated character-by-character over the full baggage header value without any bound on total bytes or entry count. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries, but none of the three affected propagators - W3CBaggagePropagator, JaegerPropagator, and OtTracePropagator - enforced these recommendations. The affected Maven packages are pkg:maven/io.opentelemetry:opentelemetry-api and pkg:maven/io.opentelemetry:opentelemetry-extension-trace-propagators, both versions up to and including 1.61.0. The OpenTelemetry baggage propagation mechanism is a distributed tracing concern: baggage entries are key-value pairs carried across service boundaries via HTTP or custom transports, making the fan-out amplification a structurally inherent risk of the design rather than a secondary effect.
RemediationAI
Vendor-released patch: 1.62.0. Upgrade both io.opentelemetry:opentelemetry-api and io.opentelemetry:opentelemetry-extension-trace-propagators to version 1.62.0 or later. The fix, implemented via PR #8380 (https://github.com/open-telemetry/opentelemetry-java/pull/8380) and commit 03837d3c1763bc35464aea1078671e2ef2336a5f, introduces a maximum baggage size of 8,192 bytes across all baggage header values and a maximum of 64 entries; headers exceeding either limit are dropped at the point the limit is reached while previously extracted valid entries are retained. For deployments where immediate upgrade is not possible, verify that HTTP header size limits are explicitly configured at the server or gateway layer: Tomcat, Jetty, Netty, Vert.x, and gRPC-Java all default to 8 KiB, which mitigates external attack vectors. Note that this workaround does not protect against a compromised internal service exploiting the fan-out path over non-HTTP or custom transports - for those architectures, upgrading to 1.62.0 is the only reliable control. The release is available at https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.62.0.
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and
Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all
Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b
Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32953
GHSA-rcgg-9c38-7xpx