{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dd-trace-rb--2.32.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dd-trace-rb \u003c 2.32.0"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","ruby","web"],"_cs_type":"advisory","_cs_vendors":["Datadog"],"content_html":"\u003cp\u003eA high-severity vulnerability (CVE-2026-50276) in Datadog tracing libraries, specifically \u003ccode\u003edd-trace-rb\u003c/code\u003e versions prior to 2.32.0, allows a remote and unauthenticated attacker to execute a Denial of Service (DoS) attack. The flaw stems from improper parsing of incoming W3C baggage HTTP headers; while limits exist for baggage injection, the library fails to enforce item-count or byte-size limits during extraction. This means an attacker can send a request containing a \u003ccode\u003ebaggage\u003c/code\u003e header with an arbitrarily large number of comma-separated key-value pairs or a single very large value. The tracer's attempt to allocate a hash-map entry for each pair on every request leads to unbounded CPU and memory consumption. This vulnerability affects any internet-facing HTTP service instrumented with an affected \u003ccode\u003edd-trace-rb\u003c/code\u003e version, particularly as baggage propagation style is often enabled by default, making them susceptible to remote resource exhaustion and service unavailability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an internet-facing HTTP service instrumented with a vulnerable \u003ccode\u003edd-trace-rb\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request containing an excessively long or item-rich \u003ccode\u003eW3C baggage\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe crafted HTTP request is sent to the target service.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003edd-trace-rb\u003c/code\u003e library within the service receives the request and attempts to parse the \u003ccode\u003ebaggage\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe library allocates hash-map entries for each key-value pair or attempts to process the single large value without enforcing item-count or byte-size limits during the extraction process.\u003c/li\u003e\n\u003cli\u003eThis uncontrolled parsing and allocation causes unbounded CPU and memory consumption within the application process.\u003c/li\u003e\n\u003cli\u003eThe application becomes unresponsive or crashes due to resource exhaustion, resulting in a Denial of Service for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows a remote, unauthenticated attacker to cause a Denial of Service (DoS) against any HTTP service instrumented with affected \u003ccode\u003edd-trace-rb\u003c/code\u003e versions. The impact manifests as unbounded CPU and memory consumption, leading to application unresponsiveness, crashes, and complete service unavailability. This is particularly critical as baggage propagation style is enabled by default in most affected tracers, exposing a wide range of internet-facing services unless explicit mitigation steps have been taken. The vulnerability can disrupt critical services and business operations by rendering applications inaccessible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003edd-trace-rb\u003c/code\u003e to version 2.32.0 or later to patch CVE-2026-50276.\u003c/li\u003e\n\u003cli\u003eDisable \u003ccode\u003ebaggage\u003c/code\u003e extraction by removing \u003ccode\u003ebaggage\u003c/code\u003e from the \u003ccode\u003eDD_TRACE_PROPAGATION_STYLE\u003c/code\u003e or \u003ccode\u003eDD_TRACE_PROPAGATION_STYLE_EXTRACT\u003c/code\u003e environment variables if immediate upgrade is not possible.\u003c/li\u003e\n\u003cli\u003eImplement HTTP request header size limits at upstream proxies or web servers, such as Apache's \u003ccode\u003eLimitRequestFieldSize\u003c/code\u003e, Nginx's \u003ccode\u003elarge_client_header_buffers\u003c/code\u003e, or Envoy's \u003ccode\u003emax_request_headers_kb\u003c/code\u003e, to prevent oversized headers from reaching the application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T23:09:44Z","date_published":"2026-07-15T23:09:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dd-trace-rb-dos/","summary":"A vulnerability (CVE-2026-50276) in Datadog tracing libraries, specifically `dd-trace-rb` versions prior to 2.32.0, allows a remote and unauthenticated attacker to perform a Denial of Service (DoS) by sending HTTP requests with malformed W3C baggage headers, leading to unbounded CPU and memory consumption.","title":"dd-trace-rb: Improper Parsing of W3C Baggage Headers Leads to DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-dd-trace-rb-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Dd-Trace-Rb \u003c 2.32.0","version":"https://jsonfeed.org/version/1.1"}