Skip to main content

@opentelemetry/core CVE-2026-54285

| EUVDEUVD-2026-38321 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-15 https://github.com/open-telemetry/opentelemetry-js GHSA-8988-4f7v-96qf
5.3
CVSS 3.1 · Vendor: https://github.com/open-telemetry/opentelemetry-js
Share

Severity by source

Vendor (https://github.com/open-telemetry/opentelemetry-js) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
5.3 MEDIUM

Network-delivered, no auth required, no user interaction; availability impact is Low because Node.js HTTP defaults naturally bound most deployments.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/open-telemetry/opentelemetry-js).

CVSS VectorVendor: https://github.com/open-telemetry/opentelemetry-js

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 22:49 vuln.today
Analysis Generated
Jun 15, 2026 - 22:49 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 904 npm packages depend on @opentelemetry/core (286 direct, 618 indirect)

Ecosystem-wide dependent count for version 2.8.0.

DescriptionCVE.org

Overview

W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. Parsing oversized baggage causes memory allocation proportional to the header size without any cap.

Impact

The practical availability impact for most Node.js deployments is limited. Node.js enforces a default --max-http-header-size of 16,384 bytes on the total combined size of all HTTP headers, constraining what an external attacker can deliver before the propagator is reached. Additionally, the header is already in memory (parsed by the HTTP layer) by the time it reaches the propagator - the additional allocation is the overhead of splitting into entry objects, not an unbounded read.

The risk is higher when transport-layer limits are absent - e.g., non-HTTP transports (messaging systems, custom TextMapGetter implementations) or deployments that have raised --max-http-header-size.

Remediation

Update @opentelemetry/core to version 2.8.0 or later. The fix enforces limits consistent with the W3C Baggage specification at the propagator level:

  • Maximum total baggage size: 8,192 bytes
  • Maximum number of entries: 180
  • Maximum per-entry size: 4,096 bytes

Headers that exceed these limits are truncated at the point the limit is reached.

Workarounds

Ensure header size limits are configured at the server or gateway level. The default Node.js HTTP header limit (16 KB) mitigates external attack vectors independently of this fix. For non-HTTP transports receiving baggage from untrusted sources, validate input size before passing it to the propagator.

References

Credit

Reported by tonghuaroot.

AnalysisAI

Unbounded memory allocation in @opentelemetry/core affects the W3CBaggagePropagator.extract() method, which fails to enforce W3C Baggage specification size limits (8,192 bytes, 180 entries) on the inbound parsing path - only the outbound inject() path was protected. Unauthenticated remote attackers can exploit this to cause partial availability degradation by sending oversized baggage headers, with elevated risk in non-HTTP transport contexts (messaging systems, custom TextMapGetter implementations) where Node.js's native 16 KB header cap does not apply. No public exploit code or CISA KEV listing exists; the CVSS 5.3 Medium score reflects the real-world constraint imposed by Node.js defaults on the dominant HTTP deployment pattern.

Technical ContextAI

The W3C Baggage specification (https://www.w3.org/TR/baggage/#limits) defines recommended caps - 8,192 bytes total, 180 entries, 4,096 bytes per entry - to prevent resource exhaustion during context propagation. The @opentelemetry/core npm package implements the W3CBaggagePropagator interface for distributed tracing context propagation. Prior to version 2.8.0, the extract() method parsed inbound baggage headers into entry objects without enforcing these caps, causing memory allocation that scales linearly with header size. CWE-770 (Allocation of Resources Without Limits or Throttling) precisely characterizes the root cause: the parser consumed attacker-controlled input without bounding object creation. The affected CPE is pkg:npm/@opentelemetry/core versions before 2.8.0. Parallel advisories exist for opentelemetry-java (GHSA-rcgg-9c38-7xpx) and opentelemetry-go (GHSA-mh2q-q3fh-2475), indicating this is a cross-ecosystem design gap in the OpenTelemetry propagation layer.

RemediationAI

Upgrade @opentelemetry/core to version 2.8.0 or later, which enforces W3C Baggage specification limits at the propagator level: maximum total baggage size of 8,192 bytes, maximum 180 entries, and maximum 4,096 bytes per entry, with truncation applied at the point a limit is reached. The advisory is at https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-8988-4f7v-96qf. For teams unable to patch immediately, ensure the Node.js HTTP server is running with the default --max-http-header-size of 16,384 bytes (do not raise this value); this limits external HTTP attack surface but does not protect non-HTTP transports. For services consuming baggage over non-HTTP transports (messaging queues, gRPC, custom TextMapGetter implementations), validate and cap the raw baggage string length before passing it to extract() as a compensating control - note this requires application-level changes and adds latency to the propagation path.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-54285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy