<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Datadog - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/datadog/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 23:06:22 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/datadog/feed.xml" rel="self" type="application/rss+xml"/><item><title>Datadog dd-trace-go Library Vulnerability May Lead to Denial of Service</title><link>https://feed.craftedsignal.io/briefs/2026-07-dd-trace-go-dos/</link><pubDate>Wed, 15 Jul 2026 23:06:22 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dd-trace-go-dos/</guid><description>A vulnerability, CVE-2026-50274, in Datadog's `dd-trace-go` library (versions &lt;= 1.24.1 and v2 &lt; 2.8.1) allows a remote, unauthenticated attacker to cause a Denial of Service (DoS) by sending HTTP requests with oversized W3C baggage headers, leading to unbounded CPU and memory consumption in instrumented services.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, identified as CVE-2026-50274, exists in the Datadog <code>dd-trace-go</code> tracing libraries, specifically versions 1.x (up to 1.24.1) and 2.x (up to 2.8.0). This flaw stems from improper parsing of incoming W3C baggage HTTP headers, where the libraries fail to enforce item-count or byte-size limits during the extraction process. The default limits (DD_TRACE_BAGGAGE_MAX_ITEMS=64, DD_TRACE_BAGGAGE_MAX_BYTES=8192) are only applied during baggage injection, not extraction. This oversight allows a remote, unauthenticated attacker to send specially crafted HTTP requests containing an arbitrarily large number of comma-separated key-value pairs or a single very large value within the baggage header. This malicious input causes the tracer to allocate an excessive number of hash-map entries for each request, leading to unbounded CPU and memory consumption, ultimately resulting in a Denial of Service (DoS) against any HTTP service instrumented with the affected tracer version where baggage propagation is enabled by default.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts an HTTP request targeting an internet-facing service instrumented with a vulnerable <code>dd-trace-go</code> library.</li>
<li>The attacker includes a W3C <code>baggage</code> HTTP header in the request containing an exceptionally large number of comma-separated key-value pairs or a single, very large value.</li>
<li>The vulnerable <code>dd-trace-go</code> library, upon receiving the request, attempts to parse and extract the W3C baggage header.</li>
<li>Due to the lack of item-count or byte-size limits during extraction, the tracer allocates a hash-map entry for each key-value pair.</li>
<li>This unbounded allocation leads to significant and continuous increases in the service's CPU utilization and memory consumption.</li>
<li>The sustained resource exhaustion prevents the service from processing legitimate requests, resulting in a Denial of Service (DoS).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-50274 leads to a Denial of Service (DoS) condition on affected HTTP services. Attackers can remotely trigger unbounded CPU and memory consumption, causing the service to become unresponsive or crash. This impacts the availability of critical applications that rely on the <code>dd-trace-go</code> library for distributed tracing, potentially disrupting business operations and hindering monitoring capabilities. The vulnerability affects services that have baggage propagation style enabled by default or explicitly configured.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-50274 immediately by upgrading <code>dd-trace-go</code> to version 2.8.1 or later. For those using <code>dd-trace-go</code> 1.x, the recommendation is to migrate to <code>v2.8.1</code> or newer.</li>
<li>If immediate upgrade to <code>dd-trace-go</code> version 2.8.1 is not feasible, disable <code>baggage</code> extraction by removing <code>baggage</code> from the <code>DD_TRACE_PROPAGATION_STYLE</code> environment variable. Alternatively, if <code>DD_TRACE_PROPAGATION_STYLE_EXTRACT</code> is set independently, remove <code>baggage</code> from its value.</li>
<li>As an additional mitigation, cap the maximum HTTP request header size at an upstream proxy or web server. Refer to documentation for Apache (<code>LimitRequestFieldSize</code>), Nginx (<code>large_client_header_buffers</code>), or Envoy (<code>max_request_headers_kb</code>) to configure appropriate limits for HTTP header sizes.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>supply-chain</category><category>go</category><category>datadog</category></item><item><title>Datadog dd-trace-js W3C Baggage Header Denial of Service Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-dd-trace-js-dos/</link><pubDate>Wed, 15 Jul 2026 22:59:58 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dd-trace-js-dos/</guid><description>The Datadog `dd-trace-js` library, specifically versions older than 5.100.0, is vulnerable to a Denial of Service (DoS) attack where improper parsing of W3C baggage HTTP headers allows a remote, unauthenticated attacker to send requests with an arbitrarily large number of comma-separated key-value pairs, leading to unbounded CPU and memory consumption and enabling a remote DoS against any HTTP service instrumented with the affected library where baggage propagation is enabled.</description><content:encoded><![CDATA[<p>A high-severity Denial of Service (DoS) vulnerability, tracked as CVE-2026-50272, affects Datadog's <code>dd-trace-js</code> library in versions prior to 5.100.0. This flaw stems from the library's improper parsing of W3C baggage HTTP headers. While limits (<code>DD_TRACE_BAGGAGE_MAX_ITEMS</code> and <code>DD_TRACE_BAGGAGE_MAX_BYTES</code>) are enforced during baggage injection, they are not applied during extraction. This allows a remote, unauthenticated attacker to craft and send HTTP requests containing an arbitrarily large number of comma-separated key-value pairs or a single very large value within the <code>baggage</code> header. When a vulnerable service receives such a request, the <code>dd-trace-js</code> tracer attempts to allocate a hash-map entry for each pair, leading to unbounded consumption of CPU and memory resources, ultimately resulting in a Denial of Service. The baggage propagation style, which enables this vulnerability, is often enabled by default in affected tracers, making internet-facing services instrumented with these versions particularly susceptible.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Attacker crafts malicious HTTP request</strong>: A remote, unauthenticated attacker constructs an HTTP request targeting an internet-facing service instrumented with <code>dd-trace-js</code>.</li>
<li><strong>Injects oversized W3C baggage header</strong>: The attacker inserts a W3C <code>baggage</code> HTTP header into the request, containing an exceptionally large number of comma-separated key-value pairs or a single, extremely long value.</li>
<li><strong>Request sent to vulnerable service</strong>: The malicious HTTP request is transmitted to the target service.</li>
<li><strong>Vulnerable <code>dd-trace-js</code> receives request</strong>: The service, running a vulnerable version of <code>dd-trace-js</code> (prior to 5.100.0) with baggage propagation enabled by default, receives the request.</li>
<li><strong>Improper header parsing occurs</strong>: The <code>dd-trace-js</code> library attempts to extract the baggage items from the oversized header without enforcing any item-count or byte-size limits on the extraction path.</li>
<li><strong>Resource exhaustion</strong>: The library continuously allocates hash-map entries for each perceived key-value pair, leading to unbounded consumption of CPU and memory resources.</li>
<li><strong>Denial of Service</strong>: The target service becomes unresponsive or crashes due to resource exhaustion, resulting in a Denial of Service for legitimate users.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-50272 leads to a Denial of Service (DoS) against HTTP services that are instrumented with vulnerable versions of the <code>dd-trace-js</code> library (prior to 5.100.0). Attackers can trigger this by sending a crafted HTTP request with an oversized W3C baggage header, causing the tracer to consume unbounded CPU and memory resources. This resource exhaustion can crash the targeted service, making it unavailable to legitimate users. Any internet-facing service utilizing the affected library with the baggage propagation style enabled (which is often the default configuration) is at risk, potentially leading to significant service disruption and operational downtime.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>dd-trace-js</code> library to version <code>5.100.0</code> or later immediately to patch CVE-2026-50272.</li>
<li>If immediate upgrade is not feasible, disable <code>baggage</code> extraction by modifying <code>DD_TRACE_PROPAGATION_STYLE</code> or <code>DD_TRACE_PROPAGATION_STYLE_EXTRACT</code> to remove <code>baggage</code>.</li>
<li>Implement upstream proxy or web server configurations to cap the maximum HTTP request header size. For example, configure Apache <code>LimitRequestFieldSize</code>, Nginx <code>large_client_header_buffers</code>, or Envoy <code>max_request_headers_kb</code>.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>javascript</category><category>nodejs</category><category>datadog</category></item><item><title>Datadog dd-trace-java DoS Vulnerability via W3C Baggage Headers</title><link>https://feed.craftedsignal.io/briefs/2026-07-dos-dd-trace-java/</link><pubDate>Wed, 15 Jul 2026 22:55:01 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dos-dd-trace-java/</guid><description>A denial-of-service vulnerability, CVE-2026-50270, exists in Datadog tracing libraries (dd-trace-java prior to version 1.62.0) that implement W3C baggage propagation. Remote, unauthenticated attackers can exploit this by sending HTTP requests with W3C baggage headers containing an arbitrarily large number of comma-separated key-value pairs. The tracer, when extracting these headers, fails to enforce item-count or byte-size limits, leading to unbounded CPU and memory consumption as it allocates hash-map entries for each pair, thereby causing a denial of service against the instrumented HTTP service.</description><content:encoded><![CDATA[<p>A high-severity denial-of-service vulnerability, tracked as CVE-2026-50270, affects Datadog's <code>dd-trace-java</code> library versions prior to 1.62.0. This flaw stems from improper parsing of W3C baggage HTTP headers without enforcing item-count or byte-size limits during the extraction process. While limits exist for baggage injection, they are not applied during extraction. A remote, unauthenticated attacker can exploit this by sending a specially crafted HTTP request containing an oversized or malformed W3C <code>baggage</code> header. This malicious header, when processed by the vulnerable tracer, triggers unbounded CPU and memory consumption as the library attempts to allocate hash-map entries for each of the numerous key-value pairs, leading to a denial of service against any internet-facing HTTP service instrumented with the affected <code>dd-trace-java</code> versions. W3C baggage propagation is often enabled by default, increasing the attack surface.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an internet-facing Java application instrumented with a vulnerable <code>dd-trace-java</code> version (prior to 1.62.0) that has W3C baggage propagation enabled.</li>
<li>The attacker crafts a malicious HTTP request, including a W3C <code>baggage</code> header containing an excessively large number of comma-separated key-value pairs or a single extremely long value.</li>
<li>The crafted HTTP request is sent by the attacker to the target application's exposed HTTP endpoint.</li>
<li>The vulnerable <code>dd-trace-java</code> library intercepts the incoming request and attempts to parse the malformed <code>baggage</code> header for distributed tracing propagation.</li>
<li>Due to the lack of item-count or byte-size limits on the extraction path, the library consumes an unbounded amount of CPU and memory resources while processing the oversized header.</li>
<li>This uncontrolled resource consumption leads to significant CPU utilization and memory exhaustion on the application server.</li>
<li>The server's resources are depleted, resulting in a denial-of-service condition, making the application unresponsive and unavailable to legitimate users.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-50270 results in a remote denial-of-service (DoS) against affected HTTP services. Attackers can render applications unresponsive and unavailable to legitimate users by consuming all available CPU and memory resources. Since the vulnerability is exploitable by remote, unauthenticated attackers, it poses a significant risk to any internet-facing service utilizing <code>dd-trace-java</code> versions prior to 1.62.0, especially when W3C baggage propagation is enabled by default. There are no reported specific victim counts or sectors, but any organization using the vulnerable library is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>dd-trace-java</code> library to version 1.62.0 or later immediately to patch CVE-2026-50270.</li>
<li>If immediate upgrade is not possible, disable <code>baggage</code> extraction by removing <code>baggage</code> from the <code>DD_TRACE_PROPAGATION_STYLE</code> environment variable (or <code>DD_TRACE_PROPAGATION_STYLE_EXTRACT</code> if set independently).</li>
<li>Implement maximum HTTP request header size limits at an upstream proxy or web server (e.g., Apache's <code>LimitRequestFieldSize</code>, Nginx's <code>large_client_header_buffers</code>, or Envoy's <code>max_request_headers_kb</code>) as a compensatory control against oversized W3C baggage headers.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>java</category><category>vulnerability</category><category>w3c</category><category>datadog</category></item></channel></rss>