Skip to content

Commit 0b83063

Browse files
1 parent 05ec581 commit 0b83063

1 file changed

Lines changed: 126 additions & 0 deletions

File tree

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,126 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5wrp-cwcj-q835",
4+
"modified": "2026-05-28T17:04:19Z",
5+
"published": "2026-05-28T17:04:19Z",
6+
"aliases": [
7+
"CVE-2026-41178"
8+
],
9+
"summary": "opentelemetry-go's baggage parsing no longer caps raw header length",
10+
"details": "### Summary\n\nhttps://github.com/open-telemetry/opentelemetry-go/pull/7880 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs.\n\n\n### Details\n\nThe commit removes the upfront baggage-string length check and the per-member size guard in parsing. `Parse` now walks the entire input with `strings.SplitSeq` and skips invalid members while continuing to process the rest. For very large or malformed `baggage` headers, the parser still fully tokenizes and percent-decodes each member, and errors are forwarded to the global error handler (default logging). This lets a remote client send oversized/invalid headers to trigger excessive CPU/memory work and potentially large log output before any size limit is enforced, creating a denial-of-service risk in services that do not already enforce strict header size limits.\n\nSummary:\n- In `baggage/baggage.go`, `parseMember` performs full parsing and `PathUnescape` on the entire member without any size guard, amplifying work for large inputs. `Parse` no longer checks bStr length and continues processing invalid members, so oversized/invalid headers are fully parsed instead of being rejected early.\n- In `propagation/baggage.go`, parsing errors from attacker-controlled headers are sent to the global error handler (default logging), which can amplify oversized-input impact.\n\n### PoC\n\n[baggage_dos_poc.tar.gz](https://github.com/user-attachments/files/26677819/baggage_dos_poc.tar.gz)\n\n### Impact\n\nThe issue is reachable through standard propagation parsing (in-scope) and can be exploited remotely to cause CPU/log amplification, but the impact is availability-only and bounded by transport header limits and configurable error handling, supporting a medium severity rather than high/critical.\n\n`baggage.Parse` iterates over all list members with `strings.SplitSeq` and skips invalid members while continuing, without a raw-length guard. `parseMember` performs full parsing and `PathUnescape` on each member, and `propagation.Baggage` forwards parsing errors to the global error handler, which logs by default. A remote client can therefore send oversized/invalid baggage headers that bypass the 8KB limit for valid members, causing extra CPU work and large log output, resulting in availability/log amplification in services that accept large headers and use the default handler.\n\nAssumptions:\n\n- An instrumented service uses the OpenTelemetry baggage propagator for inbound request parsing.\n- Attackers can send oversized or malformed baggage headers that pass the hosting server/proxy header size limits.\n- The default error handler is used or logs are otherwise emitted for parse errors.\n- Inbound request parsing with propagation.Baggage\n- Oversized/invalid baggage headers accepted by the HTTP/gRPC stack\n- Error handler not suppressing parse errors",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "go.opentelemetry.io/otel/baggage"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.41.0"
29+
},
30+
{
31+
"fixed": "1.42.0"
32+
}
33+
]
34+
}
35+
],
36+
"versions": [
37+
"1.41.0"
38+
]
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "Go",
43+
"name": "go.opentelemetry.io/otel/propagation"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "1.41.0"
51+
},
52+
{
53+
"fixed": "1.42.0"
54+
}
55+
]
56+
}
57+
],
58+
"versions": [
59+
"1.41.0"
60+
]
61+
},
62+
{
63+
"package": {
64+
"ecosystem": "Go",
65+
"name": "go.opentelemetry.io/otel/baggage"
66+
},
67+
"ranges": [
68+
{
69+
"type": "ECOSYSTEM",
70+
"events": [
71+
{
72+
"introduced": "1.43.0"
73+
},
74+
{
75+
"fixed": "1.44.0"
76+
}
77+
]
78+
}
79+
],
80+
"versions": [
81+
"1.43.0"
82+
]
83+
},
84+
{
85+
"package": {
86+
"ecosystem": "Go",
87+
"name": "go.opentelemetry.io/otel/propagation"
88+
},
89+
"ranges": [
90+
{
91+
"type": "ECOSYSTEM",
92+
"events": [
93+
{
94+
"introduced": "1.43.0"
95+
},
96+
{
97+
"fixed": "1.44.0"
98+
}
99+
]
100+
}
101+
],
102+
"versions": [
103+
"1.43.0"
104+
]
105+
}
106+
],
107+
"references": [
108+
{
109+
"type": "WEB",
110+
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835"
111+
},
112+
{
113+
"type": "PACKAGE",
114+
"url": "https://github.com/open-telemetry/opentelemetry-go"
115+
}
116+
],
117+
"database_specific": {
118+
"cwe_ids": [
119+
"CWE-789"
120+
],
121+
"severity": "MODERATE",
122+
"github_reviewed": true,
123+
"github_reviewed_at": "2026-05-28T17:04:19Z",
124+
"nvd_published_at": null
125+
}
126+
}

0 commit comments

Comments
 (0)