Datadog dd-trace-py Improper Parsing of W3C Baggage Headers Leads to DoS
The Datadog dd-trace-py tracing library, versions prior to 4.8.2, is vulnerable to a Denial of Service (DoS) attack due to improper parsing of W3C baggage HTTP headers, which fails to enforce item-count or byte-size limits on the extraction path, allowing an unauthenticated attacker to send a request with an arbitrarily large baggage header causing unbounded CPU and memory consumption.
The dd-trace-py library, a Python tracing library for Datadog, versions prior to 4.8.2, contains a Denial of Service (DoS) vulnerability (CVE-2026-50271). This vulnerability stems from improper parsing of W3C baggage HTTP headers. While the library enforces DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) and DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) limits during baggage injection, these limits are not applied during baggage extraction. A remote, unauthenticated attacker can exploit this by sending an HTTP request containing a baggage header with an arbitrarily large number of comma-separated key-value pairs or a single, excessively long value. The vulnerable tracer will allocate a hash-map entry for each pair on every request without bounds, leading to severe CPU and memory consumption. This can result in a remote DoS against any internet-facing HTTP service instrumented with an affected dd-trace-py version, especially since baggage propagation is typically enabled by default. The issue was published on 2026-07-15.
Attack Chain
- An unauthenticated attacker crafts an HTTP request targeting an internet-facing application instrumented with
dd-trace-py. - The attacker includes a
W3C baggageHTTP header in the request, designed to contain an excessive number of comma-separated key-value pairs or a single, extremely long value. - The vulnerable application, running
dd-trace-pyversions prior to 4.8.2 with default baggage propagation settings, receives the malformed request. - The
dd-trace-pylibrary begins to parse the incomingbaggageheader. During this extraction process, it fails to enforce configured limits on item count or byte size. - This unbounded parsing leads to the allocation of an arbitrarily large number of hash-map entries and excessive processing, consuming high CPU and memory resources on the server.
- The server's computational and memory resources become exhausted, causing the instrumented application to become unresponsive and resulting in a Denial of Service (DoS).
Impact
Successful exploitation of CVE-2026-50271 leads to a Denial of Service against any HTTP service instrumented with vulnerable dd-trace-py versions. The impact includes unbounded CPU and memory consumption on the targeted server, rendering the application unresponsive and unavailable to legitimate users. Since baggage propagation is often enabled by default, a wide range of internet-facing services could be vulnerable without explicit configuration changes or upgrades. The attack is unauthenticated, allowing any remote actor to trigger the DoS condition.
Recommendation
- Upgrade the
dd-trace-pylibrary to version 4.8.2 or later immediately to patch CVE-2026-50271. - If immediate upgrade is not possible, disable
baggageextraction by removingbaggagefrom theDD_TRACE_PROPAGATION_STYLEenvironment variable, or fromDD_TRACE_PROPAGATION_STYLE_EXTRACTif set independently. - Implement measures at an upstream proxy or web server to cap the maximum HTTP request header size (e.g., configure Apache's
LimitRequestFieldSize, Nginx'slarge_client_header_buffers, or Envoy'smax_request_headers_kb).