<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Dd-Java-Agent (&lt; 1.62.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/dd-java-agent--1.62.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 22:55:01 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/dd-java-agent--1.62.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Datadog dd-trace-java DoS Vulnerability via W3C Baggage Headers</title><link>https://feed.craftedsignal.io/briefs/2026-07-dos-dd-trace-java/</link><pubDate>Wed, 15 Jul 2026 22:55:01 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dos-dd-trace-java/</guid><description>A denial-of-service vulnerability, CVE-2026-50270, exists in Datadog tracing libraries (dd-trace-java prior to version 1.62.0) that implement W3C baggage propagation. Remote, unauthenticated attackers can exploit this by sending HTTP requests with W3C baggage headers containing an arbitrarily large number of comma-separated key-value pairs. The tracer, when extracting these headers, fails to enforce item-count or byte-size limits, leading to unbounded CPU and memory consumption as it allocates hash-map entries for each pair, thereby causing a denial of service against the instrumented HTTP service.</description><content:encoded><![CDATA[<p>A high-severity denial-of-service vulnerability, tracked as CVE-2026-50270, affects Datadog's <code>dd-trace-java</code> library versions prior to 1.62.0. This flaw stems from improper parsing of W3C baggage HTTP headers without enforcing item-count or byte-size limits during the extraction process. While limits exist for baggage injection, they are not applied during extraction. A remote, unauthenticated attacker can exploit this by sending a specially crafted HTTP request containing an oversized or malformed W3C <code>baggage</code> header. This malicious header, when processed by the vulnerable tracer, triggers unbounded CPU and memory consumption as the library attempts to allocate hash-map entries for each of the numerous key-value pairs, leading to a denial of service against any internet-facing HTTP service instrumented with the affected <code>dd-trace-java</code> versions. W3C baggage propagation is often enabled by default, increasing the attack surface.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an internet-facing Java application instrumented with a vulnerable <code>dd-trace-java</code> version (prior to 1.62.0) that has W3C baggage propagation enabled.</li>
<li>The attacker crafts a malicious HTTP request, including a W3C <code>baggage</code> header containing an excessively large number of comma-separated key-value pairs or a single extremely long value.</li>
<li>The crafted HTTP request is sent by the attacker to the target application's exposed HTTP endpoint.</li>
<li>The vulnerable <code>dd-trace-java</code> library intercepts the incoming request and attempts to parse the malformed <code>baggage</code> header for distributed tracing propagation.</li>
<li>Due to the lack of item-count or byte-size limits on the extraction path, the library consumes an unbounded amount of CPU and memory resources while processing the oversized header.</li>
<li>This uncontrolled resource consumption leads to significant CPU utilization and memory exhaustion on the application server.</li>
<li>The server's resources are depleted, resulting in a denial-of-service condition, making the application unresponsive and unavailable to legitimate users.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-50270 results in a remote denial-of-service (DoS) against affected HTTP services. Attackers can render applications unresponsive and unavailable to legitimate users by consuming all available CPU and memory resources. Since the vulnerability is exploitable by remote, unauthenticated attackers, it poses a significant risk to any internet-facing service utilizing <code>dd-trace-java</code> versions prior to 1.62.0, especially when W3C baggage propagation is enabled by default. There are no reported specific victim counts or sectors, but any organization using the vulnerable library is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>dd-trace-java</code> library to version 1.62.0 or later immediately to patch CVE-2026-50270.</li>
<li>If immediate upgrade is not possible, disable <code>baggage</code> extraction by removing <code>baggage</code> from the <code>DD_TRACE_PROPAGATION_STYLE</code> environment variable (or <code>DD_TRACE_PROPAGATION_STYLE_EXTRACT</code> if set independently).</li>
<li>Implement maximum HTTP request header size limits at an upstream proxy or web server (e.g., Apache's <code>LimitRequestFieldSize</code>, Nginx's <code>large_client_header_buffers</code>, or Envoy's <code>max_request_headers_kb</code>) as a compensatory control against oversized W3C baggage headers.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>java</category><category>vulnerability</category><category>w3c</category><category>datadog</category></item></channel></rss>