CVE-2025-27513 Overview
CVE-2025-27513 is a Denial of Service (DoS) vulnerability affecting the OpenTelemetry.Api package for .NET, specifically versions 1.10.0 through 1.11.1. The vulnerability is triggered when an application receives HTTP requests containing tracestate and traceparent headers, causing excessive CPU consumption. Critically, this issue impacts applications even if they do not explicitly use trace context propagation—simply receiving these headers in incoming requests is sufficient to trigger the resource exhaustion.
Critical Impact
Web-facing applications and backend services processing HTTP requests with tracestate headers may experience severe performance degradation, increased latency, or complete service downtime due to excessive CPU resource consumption.
Affected Products
- OpenTelemetry.Api package version 1.10.0
- OpenTelemetry.Api package version 1.11.0
- OpenTelemetry.Api package version 1.11.1
Discovery Timeline
- 2025-03-05 - CVE-2025-27513 published to NVD
- 2025-03-05 - Last updated in NVD database
Technical Details for CVE-2025-27513
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw exists in how the OpenTelemetry.Api package processes incoming tracestate and traceparent HTTP headers used for distributed tracing context propagation.
When maliciously crafted or excessively complex tracestate headers are received, the parsing logic consumes disproportionate CPU resources. The network-accessible nature of this vulnerability means any internet-facing application using the affected OpenTelemetry.Api versions is potentially at risk. An attacker can exploit this remotely without any authentication or user interaction, simply by sending specially crafted HTTP requests to the target application.
The impact is availability-focused, causing resource exhaustion that can lead to service degradation or denial of service conditions without affecting confidentiality or integrity of the system.
Root Cause
The root cause lies in the resource allocation strategy within the tracestate header parsing functionality. The OpenTelemetry.Api package versions 1.10.0 through 1.11.1 fail to implement proper limits or throttling when processing trace context headers, allowing unbounded resource consumption during header parsing operations.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can send HTTP requests containing malicious tracestate and traceparent headers to any web endpoint processed by an application using the vulnerable OpenTelemetry.Api package. The attack can be amplified by sending multiple concurrent requests, rapidly exhausting server CPU resources and causing denial of service conditions.
The vulnerability mechanism involves the header parsing routines in the OpenTelemetry context propagation layer. When processing incoming HTTP requests, the framework automatically attempts to extract and parse trace context information from standard headers (traceparent and tracestate). The parsing implementation in affected versions lacks proper resource bounds, enabling algorithmic complexity attacks through specially crafted header values. For detailed technical information, refer to the GitHub Security Advisory GHSA-8785-wc3w-h8q6.
Detection Methods for CVE-2025-27513
Indicators of Compromise
- Abnormal CPU utilization spikes on servers running .NET applications with OpenTelemetry instrumentation
- HTTP requests containing unusually large or malformed tracestate headers in access logs
- Increased request latency or timeout errors without corresponding increase in legitimate traffic
- Service health check failures due to resource exhaustion
Detection Strategies
- Monitor for HTTP requests with tracestate headers exceeding normal size thresholds
- Implement application performance monitoring (APM) to detect unusual CPU consumption patterns correlated with incoming requests
- Review dependency manifests and NuGet package references for OpenTelemetry.Api versions between 1.10.0 and 1.11.1
- Use SentinelOne Singularity platform to detect resource exhaustion patterns and anomalous process behavior
Monitoring Recommendations
- Configure alerting thresholds for CPU utilization anomalies on application servers
- Implement request rate limiting and header size validation at the load balancer or WAF layer
- Enable detailed HTTP request logging to capture header contents for forensic analysis
- Monitor .NET application health metrics including thread pool exhaustion and garbage collection pressure
How to Mitigate CVE-2025-27513
Immediate Actions Required
- Upgrade OpenTelemetry.Api package to version 1.11.2 or later immediately
- Audit all .NET applications for usage of affected OpenTelemetry.Api versions (1.10.0 - 1.11.1)
- Consider implementing header size limits at reverse proxy or load balancer level as defense-in-depth
- Review and test applications after upgrade to ensure compatibility
Patch Information
The vulnerability has been fixed in OpenTelemetry.Api version 1.11.2. The fix is available via the GitHub commit 1b555c1201413f2f55f2cd3c4ba03ef4b615b6b5. Organizations should update their NuGet package references and redeploy affected applications as soon as possible.
For additional details, consult the GitHub Security Advisory GHSA-8785-wc3w-h8q6.
Workarounds
- Implement header filtering at the edge (WAF/reverse proxy) to block or sanitize oversized tracestate headers
- Configure request size limits to prevent excessively large headers from reaching application servers
- Temporarily disable distributed tracing propagation if business requirements permit
- Deploy rate limiting on endpoints to reduce the effectiveness of DoS attempts
# Example: Update OpenTelemetry.Api package via .NET CLI
dotnet add package OpenTelemetry.Api --version 1.11.2
# Verify installed package version
dotnet list package | grep OpenTelemetry.Api
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
