{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dd-trace-py--4.8.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dd-trace-py \u003c 4.8.2"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","python","supply-chain"],"_cs_type":"advisory","_cs_vendors":["Datadog"],"content_html":"\u003cp\u003eThe \u003ccode\u003edd-trace-py\u003c/code\u003e library, a Python tracing library for Datadog, versions prior to 4.8.2, contains a Denial of Service (DoS) vulnerability (CVE-2026-50271). This vulnerability stems from improper parsing of W3C baggage HTTP headers. While the library enforces \u003ccode\u003eDD_TRACE_BAGGAGE_MAX_ITEMS\u003c/code\u003e (default 64) and \u003ccode\u003eDD_TRACE_BAGGAGE_MAX_BYTES\u003c/code\u003e (default 8192) limits during baggage \u003cem\u003einjection\u003c/em\u003e, these limits are not applied during baggage \u003cem\u003eextraction\u003c/em\u003e. A remote, unauthenticated attacker can exploit this by sending an HTTP request containing a \u003ccode\u003ebaggage\u003c/code\u003e header with an arbitrarily large number of comma-separated key-value pairs or a single, excessively long value. The vulnerable tracer will allocate a hash-map entry for each pair on every request without bounds, leading to severe CPU and memory consumption. This can result in a remote DoS against any internet-facing HTTP service instrumented with an affected \u003ccode\u003edd-trace-py\u003c/code\u003e version, especially since baggage propagation is typically enabled by default. The issue was published on 2026-07-15.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts an HTTP request targeting an internet-facing application instrumented with \u003ccode\u003edd-trace-py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a \u003ccode\u003eW3C baggage\u003c/code\u003e HTTP header in the request, designed to contain an excessive number of comma-separated key-value pairs or a single, extremely long value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application, running \u003ccode\u003edd-trace-py\u003c/code\u003e versions prior to 4.8.2 with default baggage propagation settings, receives the malformed request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edd-trace-py\u003c/code\u003e library begins to parse the incoming \u003ccode\u003ebaggage\u003c/code\u003e header. During this extraction process, it fails to enforce configured limits on item count or byte size.\u003c/li\u003e\n\u003cli\u003eThis unbounded parsing leads to the allocation of an arbitrarily large number of hash-map entries and excessive processing, consuming high CPU and memory resources on the server.\u003c/li\u003e\n\u003cli\u003eThe server's computational and memory resources become exhausted, causing the instrumented application to become unresponsive and resulting in a Denial of Service (DoS).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-50271 leads to a Denial of Service against any HTTP service instrumented with vulnerable \u003ccode\u003edd-trace-py\u003c/code\u003e versions. The impact includes unbounded CPU and memory consumption on the targeted server, rendering the application unresponsive and unavailable to legitimate users. Since baggage propagation is often enabled by default, a wide range of internet-facing services could be vulnerable without explicit configuration changes or upgrades. The attack is unauthenticated, allowing any remote actor to trigger the DoS condition.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003edd-trace-py\u003c/code\u003e library to version 4.8.2 or later immediately to patch CVE-2026-50271.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible, disable \u003ccode\u003ebaggage\u003c/code\u003e extraction by removing \u003ccode\u003ebaggage\u003c/code\u003e from the \u003ccode\u003eDD_TRACE_PROPAGATION_STYLE\u003c/code\u003e environment variable, or from \u003ccode\u003eDD_TRACE_PROPAGATION_STYLE_EXTRACT\u003c/code\u003e if set independently.\u003c/li\u003e\n\u003cli\u003eImplement measures at an upstream proxy or web server to cap the maximum HTTP request header size (e.g., configure Apache's \u003ccode\u003eLimitRequestFieldSize\u003c/code\u003e, Nginx's \u003ccode\u003elarge_client_header_buffers\u003c/code\u003e, or Envoy's \u003ccode\u003emax_request_headers_kb\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T22:57:30Z","date_published":"2026-07-15T22:57:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dos-dd-trace-py/","summary":"The Datadog dd-trace-py tracing library, versions prior to 4.8.2, is vulnerable to a Denial of Service (DoS) attack due to improper parsing of W3C baggage HTTP headers, which fails to enforce item-count or byte-size limits on the extraction path, allowing an unauthenticated attacker to send a request with an arbitrarily large baggage header causing unbounded CPU and memory consumption.","title":"Datadog dd-trace-py Improper Parsing of W3C Baggage Headers Leads to DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-dos-dd-trace-py/"}],"language":"en","title":"CraftedSignal Threat Feed - Dd-Trace-Py \u003c 4.8.2","version":"https://jsonfeed.org/version/1.1"}