Skip to content

opentelemetry-go's baggage parsing no longer caps raw header length

Moderate severity GitHub Reviewed Published May 28, 2026 in open-telemetry/opentelemetry-go

Package

gomod go.opentelemetry.io/otel/baggage (Go)

Affected versions

= 1.41.0
= 1.43.0

Patched versions

1.42.0
1.44.0
gomod go.opentelemetry.io/otel/propagation (Go)
= 1.41.0
= 1.43.0
1.42.0
1.44.0

Description

Summary

open-telemetry/opentelemetry-go#7880 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs.

Details

The commit removes the upfront baggage-string length check and the per-member size guard in parsing. Parse now walks the entire input with strings.SplitSeq and skips invalid members while continuing to process the rest. For very large or malformed baggage headers, the parser still fully tokenizes and percent-decodes each member, and errors are forwarded to the global error handler (default logging). This lets a remote client send oversized/invalid headers to trigger excessive CPU/memory work and potentially large log output before any size limit is enforced, creating a denial-of-service risk in services that do not already enforce strict header size limits.

Summary:

  • In baggage/baggage.go, parseMember performs full parsing and PathUnescape on the entire member without any size guard, amplifying work for large inputs. Parse no longer checks bStr length and continues processing invalid members, so oversized/invalid headers are fully parsed instead of being rejected early.
  • In propagation/baggage.go, parsing errors from attacker-controlled headers are sent to the global error handler (default logging), which can amplify oversized-input impact.

PoC

baggage_dos_poc.tar.gz

Impact

The issue is reachable through standard propagation parsing (in-scope) and can be exploited remotely to cause CPU/log amplification, but the impact is availability-only and bounded by transport header limits and configurable error handling, supporting a medium severity rather than high/critical.

baggage.Parse iterates over all list members with strings.SplitSeq and skips invalid members while continuing, without a raw-length guard. parseMember performs full parsing and PathUnescape on each member, and propagation.Baggage forwards parsing errors to the global error handler, which logs by default. A remote client can therefore send oversized/invalid baggage headers that bypass the 8KB limit for valid members, causing extra CPU work and large log output, resulting in availability/log amplification in services that accept large headers and use the default handler.

Assumptions:

  • An instrumented service uses the OpenTelemetry baggage propagator for inbound request parsing.
  • Attackers can send oversized or malformed baggage headers that pass the hosting server/proxy header size limits.
  • The default error handler is used or logs are otherwise emitted for parse errors.
  • Inbound request parsing with propagation.Baggage
  • Oversized/invalid baggage headers accepted by the HTTP/gRPC stack
  • Error handler not suppressing parse errors

References

@pellared pellared published to open-telemetry/opentelemetry-go May 28, 2026
Published to the GitHub Advisory Database May 28, 2026
Reviewed May 28, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS score

Weaknesses

Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. Learn more on MITRE.

CVE ID

CVE-2026-41178

GHSA ID

GHSA-5wrp-cwcj-q835

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.