CVE-2026-54285

opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation

CVSS 5.3 MEDIUMEPSS 0.2%CWE-770

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

22 jun 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. Parsing oversized baggage causes memory allocation proportional to the header size without any cap. This vulnerability is fixed in 2.8.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Produtos afetados

open-telemetry · opentelemetry-js

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-8988-4f7v-96qf