{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/go/github.com/datadog/dd-trace-go--1.24.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["go/github.com/DataDog/dd-trace-go (\u003c= 1.24.1)","go/github.com/DataDog/dd-trace-go/v2 (\u003c 2.8.1)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","supply-chain","go","datadog"],"_cs_type":"advisory","_cs_vendors":["Datadog"],"content_html":"\u003cp\u003eA high-severity vulnerability, identified as CVE-2026-50274, exists in the Datadog \u003ccode\u003edd-trace-go\u003c/code\u003e tracing libraries, specifically versions 1.x (up to 1.24.1) and 2.x (up to 2.8.0). This flaw stems from improper parsing of incoming W3C baggage HTTP headers, where the libraries fail to enforce item-count or byte-size limits during the extraction process. The default limits (DD_TRACE_BAGGAGE_MAX_ITEMS=64, DD_TRACE_BAGGAGE_MAX_BYTES=8192) are only applied during baggage injection, not extraction. This oversight allows a remote, unauthenticated attacker to send specially crafted HTTP requests containing an arbitrarily large number of comma-separated key-value pairs or a single very large value within the baggage header. This malicious input causes the tracer to allocate an excessive number of hash-map entries for each request, leading to unbounded CPU and memory consumption, ultimately resulting in a Denial of Service (DoS) against any HTTP service instrumented with the affected tracer version where baggage propagation is enabled by default.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts an HTTP request targeting an internet-facing service instrumented with a vulnerable \u003ccode\u003edd-trace-go\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a W3C \u003ccode\u003ebaggage\u003c/code\u003e HTTP header in the request containing an exceptionally large number of comma-separated key-value pairs or a single, very large value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003edd-trace-go\u003c/code\u003e library, upon receiving the request, attempts to parse and extract the W3C baggage header.\u003c/li\u003e\n\u003cli\u003eDue to the lack of item-count or byte-size limits during extraction, the tracer allocates a hash-map entry for each key-value pair.\u003c/li\u003e\n\u003cli\u003eThis unbounded allocation leads to significant and continuous increases in the service's CPU utilization and memory consumption.\u003c/li\u003e\n\u003cli\u003eThe sustained resource exhaustion prevents the service from processing legitimate requests, resulting in a Denial of Service (DoS).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-50274 leads to a Denial of Service (DoS) condition on affected HTTP services. Attackers can remotely trigger unbounded CPU and memory consumption, causing the service to become unresponsive or crash. This impacts the availability of critical applications that rely on the \u003ccode\u003edd-trace-go\u003c/code\u003e library for distributed tracing, potentially disrupting business operations and hindering monitoring capabilities. The vulnerability affects services that have baggage propagation style enabled by default or explicitly configured.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-50274 immediately by upgrading \u003ccode\u003edd-trace-go\u003c/code\u003e to version 2.8.1 or later. For those using \u003ccode\u003edd-trace-go\u003c/code\u003e 1.x, the recommendation is to migrate to \u003ccode\u003ev2.8.1\u003c/code\u003e or newer.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade to \u003ccode\u003edd-trace-go\u003c/code\u003e version 2.8.1 is not feasible, disable \u003ccode\u003ebaggage\u003c/code\u003e extraction by removing \u003ccode\u003ebaggage\u003c/code\u003e from the \u003ccode\u003eDD_TRACE_PROPAGATION_STYLE\u003c/code\u003e environment variable. Alternatively, if \u003ccode\u003eDD_TRACE_PROPAGATION_STYLE_EXTRACT\u003c/code\u003e is set independently, remove \u003ccode\u003ebaggage\u003c/code\u003e from its value.\u003c/li\u003e\n\u003cli\u003eAs an additional mitigation, cap the maximum HTTP request header size at an upstream proxy or web server. Refer to documentation for Apache (\u003ccode\u003eLimitRequestFieldSize\u003c/code\u003e), Nginx (\u003ccode\u003elarge_client_header_buffers\u003c/code\u003e), or Envoy (\u003ccode\u003emax_request_headers_kb\u003c/code\u003e) to configure appropriate limits for HTTP header sizes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T23:06:22Z","date_published":"2026-07-15T23:06:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dd-trace-go-dos/","summary":"A vulnerability, CVE-2026-50274, in Datadog's `dd-trace-go` library (versions \u003c= 1.24.1 and v2 \u003c 2.8.1) allows a remote, unauthenticated attacker to cause a Denial of Service (DoS) by sending HTTP requests with oversized W3C baggage headers, leading to unbounded CPU and memory consumption in instrumented services.","title":"Datadog dd-trace-go Library Vulnerability May Lead to Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-07-dd-trace-go-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Go/Github.com/DataDog/Dd-Trace-Go (\u003c= 1.24.1)","version":"https://jsonfeed.org/version/1.1"}