<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Datadog.Trace.OpenTracing (&lt; 3.43.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/datadog.trace.opentracing--3.43.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 23:02:40 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/datadog.trace.opentracing--3.43.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Datadog dd-trace-dotnet Improper W3C Baggage Header Parsing Leads to DoS</title><link>https://feed.craftedsignal.io/briefs/2026-07-dd-trace-dotnet-dos/</link><pubDate>Wed, 15 Jul 2026 23:02:40 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dd-trace-dotnet-dos/</guid><description>A Denial of Service (DoS) vulnerability exists in Datadog tracing libraries (`dd-trace-dotnet`) due to improper parsing of W3C baggage HTTP headers, allowing remote, unauthenticated attackers to send requests with arbitrarily large baggage headers, causing unbounded CPU and memory consumption and leading to service unavailability for any HTTP service instrumented with affected library versions where baggage propagation is enabled by default. The issue, tracked as CVE-2026-50273, is resolved in version 3.43.0 and later.</description><content:encoded><![CDATA[<p>A high-severity Denial of Service (DoS) vulnerability, identified as CVE-2026-50273, affects Datadog tracing libraries, specifically <code>dd-trace-dotnet</code> versions prior to 3.43.0. The vulnerability stems from improper parsing of W3C baggage HTTP headers, where the libraries fail to enforce item-count or byte-size limits during header extraction. While limits were applied during baggage injection, they were not active during extraction, allowing remote, unauthenticated attackers to send specially crafted HTTP requests. These requests contain baggage headers with an arbitrarily large number of comma-separated key-value pairs or a single excessively large value. When the vulnerable tracer attempts to process such headers, it allocates a hash-map entry for each perceived pair, leading to unbounded consumption of CPU and memory resources. This resource exhaustion results in a Denial of Service against any HTTP service instrumented with an affected <code>dd-trace-dotnet</code> version, particularly since baggage propagation is enabled by default in most affected tracers.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies an internet-facing HTTP service instrumented with a vulnerable <code>dd-trace-dotnet</code> version (prior to 3.43.0) where W3C baggage propagation is enabled (often by default).</li>
<li>Attacker crafts a malicious HTTP request targeting the vulnerable service.</li>
<li>The crafted request includes a W3C <code>baggage</code> HTTP header containing an arbitrarily large number of comma-separated key-value pairs or a single, extremely large value.</li>
<li>The vulnerable <code>dd-trace-dotnet</code> library receives the request and initiates the process of parsing and extracting baggage items from the malformed header.</li>
<li>Due to the absence of item-count or byte-size limits on the extraction path, the tracer continuously allocates hash-map entries for each item it attempts to extract.</li>
<li>This uncontrolled allocation leads to rapid and unbounded consumption of the service's CPU and memory resources.</li>
<li>The affected HTTP service experiences severe performance degradation, becomes unresponsive, or crashes entirely, resulting in a Denial of Service for legitimate users.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-50273 leads to a Denial of Service for any HTTP service instrumented with vulnerable <code>dd-trace-dotnet</code> libraries (versions prior to 3.43.0) with default baggage propagation settings. Attackers can leverage this vulnerability to trigger unbounded CPU and memory consumption by sending a single malicious HTTP request containing an oversized W3C baggage header. This results in the service becoming unresponsive or crashing due to resource exhaustion, effectively taking it offline. The impact extends to critical business applications and infrastructure relying on Datadog tracing, leading to significant operational disruption and potential data loss if services are not properly restarted.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade all instances of <code>dd-trace-dotnet</code> to version 3.43.0 or later to patch CVE-2026-50273.</li>
<li>If immediate upgrade is not feasible, disable <code>baggage</code> extraction by removing <code>baggage</code> from the <code>DD_TRACE_PROPAGATION_STYLE</code> environment variable, or <code>DD_TRACE_PROPAGATION_STYLE_EXTRACT</code> if set independently.</li>
<li>Implement measures to cap the maximum HTTP request header size at an upstream proxy or web server (e.g., configure Apache's <code>LimitRequestFieldSize</code>, Nginx's <code>large_client_header_buffers</code>, or Envoy's <code>max_request_headers_kb</code>).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>dot-net</category></item></channel></rss>