Skip to content
Threat Feed

Tag

Datadog

3 briefs RSS
medium advisory

Datadog dd-trace-go Library Vulnerability May Lead to Denial of Service

A vulnerability, CVE-2026-50274, in Datadog's `dd-trace-go` library (versions <= 1.24.1 and v2 < 2.8.1) allows a remote, unauthenticated attacker to cause a Denial of Service (DoS) by sending HTTP requests with oversized W3C baggage headers, leading to unbounded CPU and memory consumption in instrumented services.

go/github.com/DataDog/dd-trace-go +1 denial-of-service vulnerability supply-chain go datadog
1t
medium advisory

Datadog dd-trace-js W3C Baggage Header Denial of Service Vulnerability

The Datadog `dd-trace-js` library, specifically versions older than 5.100.0, is vulnerable to a Denial of Service (DoS) attack where improper parsing of W3C baggage HTTP headers allows a remote, unauthenticated attacker to send requests with an arbitrarily large number of comma-separated key-value pairs, leading to unbounded CPU and memory consumption and enabling a remote DoS against any HTTP service instrumented with the affected library where baggage propagation is enabled.

dd-trace-js denial-of-service vulnerability javascript nodejs datadog
1t
medium advisory

Datadog dd-trace-java DoS Vulnerability via W3C Baggage Headers

A denial-of-service vulnerability, CVE-2026-50270, exists in Datadog tracing libraries (dd-trace-java prior to version 1.62.0) that implement W3C baggage propagation. Remote, unauthenticated attackers can exploit this by sending HTTP requests with W3C baggage headers containing an arbitrarily large number of comma-separated key-value pairs. The tracer, when extracting these headers, fails to enforce item-count or byte-size limits, leading to unbounded CPU and memory consumption as it allocates hash-map entries for each pair, thereby causing a denial of service against the instrumented HTTP service.

dd-java-agent denial-of-service java vulnerability w3c datadog
1t