Skip to main content

OpenTelemetry Go EUVDEUVD-2026-34288

| CVE-2026-41178 MEDIUM
Memory Allocation with Excessive Size Value (CWE-789)
2026-05-28 https://github.com/open-telemetry/opentelemetry-go GHSA-5wrp-cwcj-q835
5.3
CVSS 3.1 · Vendor: https://github.com/open-telemetry/opentelemetry-go
Share

Severity by source

Vendor (https://github.com/open-telemetry/opentelemetry-go) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from Vendor (https://github.com/open-telemetry/opentelemetry-go) · only source for this CVE.

CVSS VectorVendor: https://github.com/open-telemetry/opentelemetry-go

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 28, 2026 - 17:46 vuln.today
Analysis Generated
May 28, 2026 - 17:46 vuln.today

DescriptionCVE.org

Summary

https://github.com/open-telemetry/opentelemetry-go/pull/7880 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs.

Details

The commit removes the upfront baggage-string length check and the per-member size guard in parsing. Parse now walks the entire input with strings.SplitSeq and skips invalid members while continuing to process the rest. For very large or malformed baggage headers, the parser still fully tokenizes and percent-decodes each member, and errors are forwarded to the global error handler (default logging). This lets a remote client send oversized/invalid headers to trigger excessive CPU/memory work and potentially large log output before any size limit is enforced, creating a denial-of-service risk in services that do not already enforce strict header size limits.

Summary:

  • In baggage/baggage.go, parseMember performs full parsing and PathUnescape on the entire member without any size guard, amplifying work for large inputs. Parse no longer checks bStr length and continues processing invalid members, so oversized/invalid headers are fully parsed instead of being rejected early.
  • In propagation/baggage.go, parsing errors from attacker-controlled headers are sent to the global error handler (default logging), which can amplify oversized-input impact.

PoC

baggage_dos_poc.tar.gz

Impact

The issue is reachable through standard propagation parsing (in-scope) and can be exploited remotely to cause CPU/log amplification, but the impact is availability-only and bounded by transport header limits and configurable error handling, supporting a medium severity rather than high/critical.

baggage.Parse iterates over all list members with strings.SplitSeq and skips invalid members while continuing, without a raw-length guard. parseMember performs full parsing and PathUnescape on each member, and propagation.Baggage forwards parsing errors to the global error handler, which logs by default. A remote client can therefore send oversized/invalid baggage headers that bypass the 8KB limit for valid members, causing extra CPU work and large log output, resulting in availability/log amplification in services that accept large headers and use the default handler.

Assumptions:

  • An instrumented service uses the OpenTelemetry baggage propagator for inbound request parsing.
  • Attackers can send oversized or malformed baggage headers that pass the hosting server/proxy header size limits.
  • The default error handler is used or logs are otherwise emitted for parse errors.
  • Inbound request parsing with propagation.Baggage
  • Oversized/invalid baggage headers accepted by the HTTP/gRPC stack
  • Error handler not suppressing parse errors

AnalysisAI

CPU and log amplification in opentelemetry-go's baggage parser allows remote unauthenticated attackers to trigger denial-of-service by submitting oversized or malformed W3C baggage headers to any instrumented Go service. PR #7880 inadvertently removed the upfront raw-length check and per-member size guard from baggage.Parse, meaning the parser now fully tokenizes and percent-decodes every member of an arbitrarily large input rather than rejecting it early. A publicly available proof-of-concept exists (GHSA-5wrp-cwcj-q835); the vulnerability is not yet listed in CISA KEV, and impact is bounded to availability with no confirmed confidentiality or integrity consequence.

Technical ContextAI

The affected packages are go.opentelemetry.io/otel/baggage and go.opentelemetry.io/otel/propagation, both part of the opentelemetry-go SDK (CPE: pkg:go/go.opentelemetry.io_otel_baggage and pkg:go/go.opentelemetry.io_otel_propagation). The root cause is CWE-789 (Uncontrolled Memory Allocation): the Parse function in baggage/baggage.go uses strings.SplitSeq to iterate over all comma-delimited baggage list-members without first enforcing a ceiling on the raw header string length. Each member is then passed to parseMember, which performs full tokenization and url.PathUnescape - a CPU-intensive operation - on potentially attacker-controlled data of unbounded size. Compounding this, propagation/baggage.go routes all parse errors from these attacker-controlled headers to the global error handler, which defaults to logging, creating a log-amplification vector alongside the CPU amplification. The W3C Baggage specification defines an 8 KB limit for valid member values, but the removed guard was the enforcement point for rejecting oversized raw strings before any work was done.

RemediationAI

Upgrade go.opentelemetry.io/otel/baggage and go.opentelemetry.io/otel/propagation to version 1.42.0 (if pinned near 1.41.0) or version 1.44.0 (if pinned near 1.43.0), as confirmed by GHSA-5wrp-cwcj-q835. Run go get go.opentelemetry.io/otel@v1.44.0 and update your go.sum accordingly. If an immediate upgrade is not feasible, enforce strict incoming header size limits at the HTTP server or reverse proxy layer (e.g., NGINX large_client_header_buffers, Envoy max_request_headers_kb, Go's http.Server.MaxHeaderBytes) - this is the most effective compensating control because it prevents oversized baggage strings from ever reaching the parser; note that setting this too low may break legitimate distributed tracing if real baggage headers are large. As a secondary mitigation, configure a custom OpenTelemetry error handler (otel.SetErrorHandler) that suppresses or rate-limits logging of parse errors, which eliminates the log-amplification vector while not addressing the CPU amplification. Advisory details are at https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835.

Share

EUVD-2026-34288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy