Skip to content

DoS Vulnerability in TraceContextPropagator.Extract

High
rajkumar-rangaraj published GHSA-8785-wc3w-h8q6 Mar 5, 2025

Package

nuget OpenTelemetry.Api (NuGet)

Affected versions

1.10.0-beta.1, 1.10.0-rc.1, 1.10.0, 1.11.0-rc.1, 1.11.0, 1.11.1

Patched versions

1.11.2

Description

Impact

What kind of vulnerability is it? Who is impacted?

A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received.

  • Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.
  • This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header.
  • Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.

Patches

Has the problem been patched? What versions should users upgrade to?

This issue has been resolved in OpenTelemetry.Api 1.11.2 by reverting the change that introduced the problematic behavior in versions 1.10.0 to 1.11.1.

  • The fix ensures that valid tracing headers no longer cause excessive CPU consumption when received in requests.

    • Fixed Version:

    OpenTelemetry .NET Version Status
    <= 1.9.x ✅ Not affected
    1.10.0 - 1.11.1 ❌ Vulnerable
    1.11.2 (Fixed) ✅ Safe to use

    Upgrade Command:

    dotnet add package OpenTelemetry --version 1.11.2

    Delisting of Affected Packages
    To prevent accidental usage, we have delisted the affected versions (1.10.0 to 1.11.1) from NuGet. Users should avoid these versions and upgrade to 1.11.2 immediately.

    Workarounds

    Is there a way for users to fix or remediate the vulnerability without upgrading?

    References

    Are there any links users can visit to find out more?

    Severity

    High

    CVSS overall score

    This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
    / 10

    CVSS v3 base metrics

    Attack vector
    Network
    Attack complexity
    Low
    Privileges required
    None
    User interaction
    None
    Scope
    Unchanged
    Confidentiality
    None
    Integrity
    None
    Availability
    High

    CVSS v3 base metrics

    Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
    Attack complexity: More severe for the least complex attacks.
    Privileges required: More severe if no privileges are required.
    User interaction: More severe when no user interaction is required.
    Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
    Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
    Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
    Availability: More severe when the loss of impacted component availability is highest.
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE ID

    CVE-2025-27513

    Weaknesses

    No CWEs