Skip to main content

opentelemetry_sdk CVE-2026-48504

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-25 https://github.com/open-telemetry/opentelemetry-rust GHSA-w9wp-h8wv-79jx
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
5.3 MEDIUM

Network-reachable without authentication, trivial to trigger, availability-only impact via resource exhaustion; C and I are N per explicit vendor confirmation of no data exposure or code execution.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 19:31 vuln.today
Analysis Generated
Jun 25, 2026 - 19:31 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 cargo packages depend on opentelemetry_sdk (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.32.1.

DescriptionGitHub Advisory

Summary

BaggagePropagator::extract_with_context in opentelemetry_sdk did not enforce the W3C Baggage size limits before parsing an inbound baggage header. A large attacker-controlled header could cause unnecessary CPU work and short-lived heap allocations while parsing entries that would later be discarded by the SDK's baggage storage limits.

The SDK now applies limits aligned with the W3C Baggage limits:

  • 64 list-members
  • 8192 bytes total

Impact

Services that accept untrusted inbound propagation headers may experience increased per-request resource usage when processing oversized baggage headers. This can contribute to denial-of-service risk, especially when application or transport-level header limits are absent or configured above the W3C Baggage limits.

The impact is limited to availability. This issue does not expose telemetry data, modify telemetry data, or allow code execution.

Patches

Upgrade opentelemetry_sdk to version 0.32.1 or later.

Version 0.32.1 rejects baggage header values larger than 8192 bytes and limits extraction to the first 64 list-members.

Workarounds

If upgrading immediately is not possible, reject or limit inbound baggage headers larger than 8192 bytes before invoking OpenTelemetry propagation extraction. This can be enforced at a proxy, gateway, middleware layer, or custom carrier boundary.

Resources

  • W3C Baggage limits: https://www.w3.org/TR/baggage/#limits
  • Related OpenTelemetry Java advisory: https://github.com/open-telemetry/opentelemetry-java/security/advisories/GHSA-rcgg-9c38-7xpx
  • Related OpenTelemetry Go advisory: https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475
  • CVE-2026-48504

Credit

tonghuaroot

AnalysisAI

Unbounded resource consumption in the Rust opentelemetry_sdk's BaggagePropagator::extract_with_context allows unauthenticated remote attackers to cause elevated CPU and heap allocation overhead by sending oversized W3C baggage propagation headers to any service using versions 0.32.0 or earlier. The SDK parsed the full header content before applying storage limits, meaning attacker-supplied data was processed and then discarded - wasting resources on every malicious request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted HTTP request with oversized baggage header
Delivery
Bypass proxy with no header size limits
Exploit
Trigger BaggagePropagator full header parse
Execution
Consume CPU tokenization and heap allocation per request
Persist
Repeat at high request rate
Impact
Degrade service availability

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: the target service must use pkg:rust/opentelemetry_sdk at version 0.32.0 or earlier; the service must have BaggagePropagator registered as a propagator so that inbound baggage headers are processed by the vulnerable extraction path; and the service must be reachable by untrusted HTTP traffic without a preceding infrastructure layer (proxy, gateway, or middleware) that enforces header size limits at or below 8192 bytes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 score (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) reflects a straightforward, low-complexity, unauthenticated network-reachable DoS with limited individual-request availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a stream of HTTP requests to a service instrumented with opentelemetry_sdk (Rust, <= 0.32.0) where each request carries a crafted baggage header containing hundreds of list-members or a payload exceeding 8192 bytes. The SDK tokenizes and heap-allocates the full header content per request before discarding the excess, multiplying CPU and memory overhead across the request pipeline. …
Remediation Upgrade opentelemetry_sdk to version 0.32.1 or later; this release enforces the W3C Baggage limits of 8192 bytes total and 64 list-members at the extraction boundary before any parsing occurs, eliminating the resource amplification. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected

Share

CVE-2026-48504 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy