<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Dd-Trace-Py &lt; 4.8.2 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/dd-trace-py--4.8.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 22:57:30 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/dd-trace-py--4.8.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>Datadog dd-trace-py Improper Parsing of W3C Baggage Headers Leads to DoS</title><link>https://feed.craftedsignal.io/briefs/2026-07-dos-dd-trace-py/</link><pubDate>Wed, 15 Jul 2026 22:57:30 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dos-dd-trace-py/</guid><description>The Datadog dd-trace-py tracing library, versions prior to 4.8.2, is vulnerable to a Denial of Service (DoS) attack due to improper parsing of W3C baggage HTTP headers, which fails to enforce item-count or byte-size limits on the extraction path, allowing an unauthenticated attacker to send a request with an arbitrarily large baggage header causing unbounded CPU and memory consumption.</description><content:encoded><![CDATA[<p>The <code>dd-trace-py</code> library, a Python tracing library for Datadog, versions prior to 4.8.2, contains a Denial of Service (DoS) vulnerability (CVE-2026-50271). This vulnerability stems from improper parsing of W3C baggage HTTP headers. While the library enforces <code>DD_TRACE_BAGGAGE_MAX_ITEMS</code> (default 64) and <code>DD_TRACE_BAGGAGE_MAX_BYTES</code> (default 8192) limits during baggage <em>injection</em>, these limits are not applied during baggage <em>extraction</em>. A remote, unauthenticated attacker can exploit this by sending an HTTP request containing a <code>baggage</code> header with an arbitrarily large number of comma-separated key-value pairs or a single, excessively long value. The vulnerable tracer will allocate a hash-map entry for each pair on every request without bounds, leading to severe CPU and memory consumption. This can result in a remote DoS against any internet-facing HTTP service instrumented with an affected <code>dd-trace-py</code> version, especially since baggage propagation is typically enabled by default. The issue was published on 2026-07-15.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts an HTTP request targeting an internet-facing application instrumented with <code>dd-trace-py</code>.</li>
<li>The attacker includes a <code>W3C baggage</code> HTTP header in the request, designed to contain an excessive number of comma-separated key-value pairs or a single, extremely long value.</li>
<li>The vulnerable application, running <code>dd-trace-py</code> versions prior to 4.8.2 with default baggage propagation settings, receives the malformed request.</li>
<li>The <code>dd-trace-py</code> library begins to parse the incoming <code>baggage</code> header. During this extraction process, it fails to enforce configured limits on item count or byte size.</li>
<li>This unbounded parsing leads to the allocation of an arbitrarily large number of hash-map entries and excessive processing, consuming high CPU and memory resources on the server.</li>
<li>The server's computational and memory resources become exhausted, causing the instrumented application to become unresponsive and resulting in a Denial of Service (DoS).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-50271 leads to a Denial of Service against any HTTP service instrumented with vulnerable <code>dd-trace-py</code> versions. The impact includes unbounded CPU and memory consumption on the targeted server, rendering the application unresponsive and unavailable to legitimate users. Since baggage propagation is often enabled by default, a wide range of internet-facing services could be vulnerable without explicit configuration changes or upgrades. The attack is unauthenticated, allowing any remote actor to trigger the DoS condition.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>dd-trace-py</code> library to version 4.8.2 or later immediately to patch CVE-2026-50271.</li>
<li>If immediate upgrade is not possible, disable <code>baggage</code> extraction by removing <code>baggage</code> from the <code>DD_TRACE_PROPAGATION_STYLE</code> environment variable, or from <code>DD_TRACE_PROPAGATION_STYLE_EXTRACT</code> if set independently.</li>
<li>Implement measures at an upstream proxy or web server to cap the maximum HTTP request header size (e.g., configure Apache's <code>LimitRequestFieldSize</code>, Nginx's <code>large_client_header_buffers</code>, or Envoy's <code>max_request_headers_kb</code>).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>python</category><category>supply-chain</category></item></channel></rss>