{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dd-trace-js--5.100.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dd-trace-js (\u003c 5.100.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","javascript","nodejs","datadog"],"_cs_type":"advisory","_cs_vendors":["Datadog"],"content_html":"\u003cp\u003eA high-severity Denial of Service (DoS) vulnerability, tracked as CVE-2026-50272, affects Datadog's \u003ccode\u003edd-trace-js\u003c/code\u003e library in versions prior to 5.100.0. This flaw stems from the library's improper parsing of W3C baggage HTTP headers. While limits (\u003ccode\u003eDD_TRACE_BAGGAGE_MAX_ITEMS\u003c/code\u003e and \u003ccode\u003eDD_TRACE_BAGGAGE_MAX_BYTES\u003c/code\u003e) are enforced during baggage injection, they are not applied during extraction. This allows a remote, unauthenticated attacker to craft and send HTTP requests containing an arbitrarily large number of comma-separated key-value pairs or a single very large value within the \u003ccode\u003ebaggage\u003c/code\u003e header. When a vulnerable service receives such a request, the \u003ccode\u003edd-trace-js\u003c/code\u003e tracer attempts to allocate a hash-map entry for each pair, leading to unbounded consumption of CPU and memory resources, ultimately resulting in a Denial of Service. The baggage propagation style, which enables this vulnerability, is often enabled by default in affected tracers, making internet-facing services instrumented with these versions particularly susceptible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker crafts malicious HTTP request\u003c/strong\u003e: A remote, unauthenticated attacker constructs an HTTP request targeting an internet-facing service instrumented with \u003ccode\u003edd-trace-js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInjects oversized W3C baggage header\u003c/strong\u003e: The attacker inserts a W3C \u003ccode\u003ebaggage\u003c/code\u003e HTTP header into the request, containing an exceptionally large number of comma-separated key-value pairs or a single, extremely long value.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequest sent to vulnerable service\u003c/strong\u003e: The malicious HTTP request is transmitted to the target service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable \u003ccode\u003edd-trace-js\u003c/code\u003e receives request\u003c/strong\u003e: The service, running a vulnerable version of \u003ccode\u003edd-trace-js\u003c/code\u003e (prior to 5.100.0) with baggage propagation enabled by default, receives the request.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImproper header parsing occurs\u003c/strong\u003e: The \u003ccode\u003edd-trace-js\u003c/code\u003e library attempts to extract the baggage items from the oversized header without enforcing any item-count or byte-size limits on the extraction path.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource exhaustion\u003c/strong\u003e: The library continuously allocates hash-map entries for each perceived key-value pair, leading to unbounded consumption of CPU and memory resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: The target service becomes unresponsive or crashes due to resource exhaustion, resulting in a Denial of Service for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-50272 leads to a Denial of Service (DoS) against HTTP services that are instrumented with vulnerable versions of the \u003ccode\u003edd-trace-js\u003c/code\u003e library (prior to 5.100.0). Attackers can trigger this by sending a crafted HTTP request with an oversized W3C baggage header, causing the tracer to consume unbounded CPU and memory resources. This resource exhaustion can crash the targeted service, making it unavailable to legitimate users. Any internet-facing service utilizing the affected library with the baggage propagation style enabled (which is often the default configuration) is at risk, potentially leading to significant service disruption and operational downtime.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003edd-trace-js\u003c/code\u003e library to version \u003ccode\u003e5.100.0\u003c/code\u003e or later immediately to patch CVE-2026-50272.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, disable \u003ccode\u003ebaggage\u003c/code\u003e extraction by modifying \u003ccode\u003eDD_TRACE_PROPAGATION_STYLE\u003c/code\u003e or \u003ccode\u003eDD_TRACE_PROPAGATION_STYLE_EXTRACT\u003c/code\u003e to remove \u003ccode\u003ebaggage\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement upstream proxy or web server configurations to cap the maximum HTTP request header size. For example, configure Apache \u003ccode\u003eLimitRequestFieldSize\u003c/code\u003e, Nginx \u003ccode\u003elarge_client_header_buffers\u003c/code\u003e, or Envoy \u003ccode\u003emax_request_headers_kb\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T22:59:58Z","date_published":"2026-07-15T22:59:58Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dd-trace-js-dos/","summary":"The Datadog `dd-trace-js` library, specifically versions older than 5.100.0, is vulnerable to a Denial of Service (DoS) attack where improper parsing of W3C baggage HTTP headers allows a remote, unauthenticated attacker to send requests with an arbitrarily large number of comma-separated key-value pairs, leading to unbounded CPU and memory consumption and enabling a remote DoS against any HTTP service instrumented with the affected library where baggage propagation is enabled.","title":"Datadog dd-trace-js W3C Baggage Header Denial of Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-dd-trace-js-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Dd-Trace-Js (\u003c 5.100.0)","version":"https://jsonfeed.org/version/1.1"}