Tag
A denial-of-service vulnerability, CVE-2026-50270, exists in Datadog tracing libraries (dd-trace-java prior to version 1.62.0) that implement W3C baggage propagation. Remote, unauthenticated attackers can exploit this by sending HTTP requests with W3C baggage headers containing an arbitrarily large number of comma-separated key-value pairs. The tracer, when extracting these headers, fails to enforce item-count or byte-size limits, leading to unbounded CPU and memory consumption as it allocates hash-map entries for each pair, thereby causing a denial of service against the instrumented HTTP service.