Tag
Datadog dd-trace-go Library Vulnerability May Lead to Denial of Service
1 TTPA vulnerability, CVE-2026-50274, in Datadog's `dd-trace-go` library (versions <= 1.24.1 and v2 < 2.8.1) allows a remote, unauthenticated attacker to cause a Denial of Service (DoS) by sending HTTP requests with oversized W3C baggage headers, leading to unbounded CPU and memory consumption in instrumented services.
Datadog dd-trace-js W3C Baggage Header Denial of Service Vulnerability
1 TTPThe Datadog `dd-trace-js` library, specifically versions older than 5.100.0, is vulnerable to a Denial of Service (DoS) attack where improper parsing of W3C baggage HTTP headers allows a remote, unauthenticated attacker to send requests with an arbitrarily large number of comma-separated key-value pairs, leading to unbounded CPU and memory consumption and enabling a remote DoS against any HTTP service instrumented with the affected library where baggage propagation is enabled.
Datadog dd-trace-java DoS Vulnerability via W3C Baggage Headers
1 TTPA denial-of-service vulnerability, CVE-2026-50270, exists in Datadog tracing libraries (dd-trace-java prior to version 1.62.0) that implement W3C baggage propagation. Remote, unauthenticated attackers can exploit this by sending HTTP requests with W3C baggage headers containing an arbitrarily large number of comma-separated key-value pairs. The tracer, when extracting these headers, fails to enforce item-count or byte-size limits, leading to unbounded CPU and memory consumption as it allocates hash-map entries for each pair, thereby causing a denial of service against the instrumented HTTP service.