<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Dd-Trace-Rb &lt; 2.32.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/dd-trace-rb--2.32.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 23:09:44 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/dd-trace-rb--2.32.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>dd-trace-rb: Improper Parsing of W3C Baggage Headers Leads to DoS</title><link>https://feed.craftedsignal.io/briefs/2026-07-dd-trace-rb-dos/</link><pubDate>Wed, 15 Jul 2026 23:09:44 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dd-trace-rb-dos/</guid><description>A vulnerability (CVE-2026-50276) in Datadog tracing libraries, specifically `dd-trace-rb` versions prior to 2.32.0, allows a remote and unauthenticated attacker to perform a Denial of Service (DoS) by sending HTTP requests with malformed W3C baggage headers, leading to unbounded CPU and memory consumption.</description><content:encoded><![CDATA[<p>A high-severity vulnerability (CVE-2026-50276) in Datadog tracing libraries, specifically <code>dd-trace-rb</code> versions prior to 2.32.0, allows a remote and unauthenticated attacker to execute a Denial of Service (DoS) attack. The flaw stems from improper parsing of incoming W3C baggage HTTP headers; while limits exist for baggage injection, the library fails to enforce item-count or byte-size limits during extraction. This means an attacker can send a request containing a <code>baggage</code> header with an arbitrarily large number of comma-separated key-value pairs or a single very large value. The tracer's attempt to allocate a hash-map entry for each pair on every request leads to unbounded CPU and memory consumption. This vulnerability affects any internet-facing HTTP service instrumented with an affected <code>dd-trace-rb</code> version, particularly as baggage propagation style is often enabled by default, making them susceptible to remote resource exhaustion and service unavailability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an internet-facing HTTP service instrumented with a vulnerable <code>dd-trace-rb</code> library.</li>
<li>The attacker crafts an HTTP request containing an excessively long or item-rich <code>W3C baggage</code> header.</li>
<li>The crafted HTTP request is sent to the target service.</li>
<li>The vulnerable <code>dd-trace-rb</code> library within the service receives the request and attempts to parse the <code>baggage</code> header.</li>
<li>The library allocates hash-map entries for each key-value pair or attempts to process the single large value without enforcing item-count or byte-size limits during the extraction process.</li>
<li>This uncontrolled parsing and allocation causes unbounded CPU and memory consumption within the application process.</li>
<li>The application becomes unresponsive or crashes due to resource exhaustion, resulting in a Denial of Service for legitimate users.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability allows a remote, unauthenticated attacker to cause a Denial of Service (DoS) against any HTTP service instrumented with affected <code>dd-trace-rb</code> versions. The impact manifests as unbounded CPU and memory consumption, leading to application unresponsiveness, crashes, and complete service unavailability. This is particularly critical as baggage propagation style is enabled by default in most affected tracers, exposing a wide range of internet-facing services unless explicit mitigation steps have been taken. The vulnerability can disrupt critical services and business operations by rendering applications inaccessible.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade <code>dd-trace-rb</code> to version 2.32.0 or later to patch CVE-2026-50276.</li>
<li>Disable <code>baggage</code> extraction by removing <code>baggage</code> from the <code>DD_TRACE_PROPAGATION_STYLE</code> or <code>DD_TRACE_PROPAGATION_STYLE_EXTRACT</code> environment variables if immediate upgrade is not possible.</li>
<li>Implement HTTP request header size limits at upstream proxies or web servers, such as Apache's <code>LimitRequestFieldSize</code>, Nginx's <code>large_client_header_buffers</code>, or Envoy's <code>max_request_headers_kb</code>, to prevent oversized headers from reaching the application.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>ruby</category><category>web</category></item></channel></rss>