{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/datadog.trace.opentracing--3.43.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Datadog.Trace (\u003c 3.43.0)","Datadog.Trace.OpenTracing (\u003c 3.43.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","dot-net"],"_cs_type":"advisory","_cs_vendors":["Datadog"],"content_html":"\u003cp\u003eA high-severity Denial of Service (DoS) vulnerability, identified as CVE-2026-50273, affects Datadog tracing libraries, specifically \u003ccode\u003edd-trace-dotnet\u003c/code\u003e versions prior to 3.43.0. The vulnerability stems from improper parsing of W3C baggage HTTP headers, where the libraries fail to enforce item-count or byte-size limits during header extraction. While limits were applied during baggage injection, they were not active during extraction, allowing remote, unauthenticated attackers to send specially crafted HTTP requests. These requests contain baggage headers with an arbitrarily large number of comma-separated key-value pairs or a single excessively large value. When the vulnerable tracer attempts to process such headers, it allocates a hash-map entry for each perceived pair, leading to unbounded consumption of CPU and memory resources. This resource exhaustion results in a Denial of Service against any HTTP service instrumented with an affected \u003ccode\u003edd-trace-dotnet\u003c/code\u003e version, particularly since baggage propagation is enabled by default in most affected tracers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an internet-facing HTTP service instrumented with a vulnerable \u003ccode\u003edd-trace-dotnet\u003c/code\u003e version (prior to 3.43.0) where W3C baggage propagation is enabled (often by default).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the vulnerable service.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a W3C \u003ccode\u003ebaggage\u003c/code\u003e HTTP header containing an arbitrarily large number of comma-separated key-value pairs or a single, extremely large value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003edd-trace-dotnet\u003c/code\u003e library receives the request and initiates the process of parsing and extracting baggage items from the malformed header.\u003c/li\u003e\n\u003cli\u003eDue to the absence of item-count or byte-size limits on the extraction path, the tracer continuously allocates hash-map entries for each item it attempts to extract.\u003c/li\u003e\n\u003cli\u003eThis uncontrolled allocation leads to rapid and unbounded consumption of the service's CPU and memory resources.\u003c/li\u003e\n\u003cli\u003eThe affected HTTP service experiences severe performance degradation, becomes unresponsive, or crashes entirely, resulting in a Denial of Service for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-50273 leads to a Denial of Service for any HTTP service instrumented with vulnerable \u003ccode\u003edd-trace-dotnet\u003c/code\u003e libraries (versions prior to 3.43.0) with default baggage propagation settings. Attackers can leverage this vulnerability to trigger unbounded CPU and memory consumption by sending a single malicious HTTP request containing an oversized W3C baggage header. This results in the service becoming unresponsive or crashing due to resource exhaustion, effectively taking it offline. The impact extends to critical business applications and infrastructure relying on Datadog tracing, leading to significant operational disruption and potential data loss if services are not properly restarted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all instances of \u003ccode\u003edd-trace-dotnet\u003c/code\u003e to version 3.43.0 or later to patch CVE-2026-50273.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, disable \u003ccode\u003ebaggage\u003c/code\u003e extraction by removing \u003ccode\u003ebaggage\u003c/code\u003e from the \u003ccode\u003eDD_TRACE_PROPAGATION_STYLE\u003c/code\u003e environment variable, or \u003ccode\u003eDD_TRACE_PROPAGATION_STYLE_EXTRACT\u003c/code\u003e if set independently.\u003c/li\u003e\n\u003cli\u003eImplement measures to cap the maximum HTTP request header size at an upstream proxy or web server (e.g., configure Apache's \u003ccode\u003eLimitRequestFieldSize\u003c/code\u003e, Nginx's \u003ccode\u003elarge_client_header_buffers\u003c/code\u003e, or Envoy's \u003ccode\u003emax_request_headers_kb\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T23:02:40Z","date_published":"2026-07-15T23:02:40Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dd-trace-dotnet-dos/","summary":"A Denial of Service (DoS) vulnerability exists in Datadog tracing libraries (`dd-trace-dotnet`) due to improper parsing of W3C baggage HTTP headers, allowing remote, unauthenticated attackers to send requests with arbitrarily large baggage headers, causing unbounded CPU and memory consumption and leading to service unavailability for any HTTP service instrumented with affected library versions where baggage propagation is enabled by default. The issue, tracked as CVE-2026-50273, is resolved in version 3.43.0 and later.","title":"Datadog dd-trace-dotnet Improper W3C Baggage Header Parsing Leads to DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-dd-trace-dotnet-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Datadog.Trace.OpenTracing (\u003c 3.43.0)","version":"https://jsonfeed.org/version/1.1"}