CVE-2026-54285 Overview
CVE-2026-54285 affects opentelemetry-js, the OpenTelemetry JavaScript Client. The W3CBaggagePropagator.extract() function in @opentelemetry/core fails to enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries. These limits were applied only on the outbound inject() path, not on inbound extract() calls. Parsing oversized baggage triggers memory allocation proportional to header size with no cap. This issue is fixed in version 2.8.0 and is categorized under [CWE-770] Allocation of Resources Without Limits or Throttling.
Critical Impact
Remote attackers can send oversized baggage HTTP headers to trigger unbounded memory allocation, leading to a denial-of-service condition in services using vulnerable versions of @opentelemetry/core.
Affected Products
- opentelemetry-js (@opentelemetry/core) versions prior to 2.8.0
- Node.js services consuming inbound W3C Baggage headers via OpenTelemetry instrumentation
- Downstream applications relying on vulnerable @opentelemetry/core as a transitive dependency
Discovery Timeline
- 2026-06-22 - CVE-2026-54285 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-54285
Vulnerability Analysis
The vulnerability resides in the W3CBaggagePropagator.extract() implementation in @opentelemetry/core. The W3C Baggage specification defines upper bounds of 8,192 bytes per header and 180 distinct entries. The OpenTelemetry JavaScript library enforced these bounds only when serializing baggage for outbound propagation via inject(). Inbound parsing applied no equivalent checks.
When a service processes an incoming HTTP request, the propagator reads the baggage header and constructs in-memory entries proportional to the header content. An attacker controlling the header can submit payloads far exceeding the recommended limits. The parser allocates string and object structures for each comma-delimited entry without short-circuiting on cumulative size.
The result is availability impact on the receiving Node.js process. Repeated oversized requests amplify allocation pressure, increasing garbage collection cost and potentially exhausting heap memory.
Root Cause
The root cause is asymmetric enforcement of specification limits between inject and extract paths [CWE-770]. The extract logic iterated header content without validating total byte count or entry count before allocation. No throttling or early-termination guard existed for malformed or oversized inputs.
Attack Vector
Exploitation requires only network access to a service that processes inbound W3C Baggage headers. No authentication or user interaction is needed. An attacker sends HTTP requests containing a baggage header far exceeding 8,192 bytes or 180 entries. The targeted process allocates memory in proportion to the supplied payload. Sustained or concurrent requests degrade service responsiveness or crash the process.
// No verified exploit code is available. See the GitHub Security Advisory
// (GHSA-8988-4f7v-96qf) for technical details on the parsing flaw.
Detection Methods for CVE-2026-54285
Indicators of Compromise
- Inbound HTTP requests containing baggage headers exceeding 8,192 bytes
- Requests with baggage headers containing more than 180 comma-delimited entries
- Unexplained spikes in Node.js heap usage or garbage collection cycles correlated with HTTP ingress
- Process restarts or out-of-memory errors in services running @opentelemetry/core versions earlier than 2.8.0
Detection Strategies
- Inspect HTTP access logs and reverse-proxy telemetry for oversized baggage request headers
- Audit application dependencies for @opentelemetry/core versions below 2.8.0 using npm ls or software composition analysis
- Correlate memory pressure metrics with request patterns targeting OpenTelemetry-instrumented endpoints
Monitoring Recommendations
- Add header-size thresholds to web application firewall or reverse-proxy rules and alert on violations
- Track Node.js heap and resident set size metrics with alerting on sudden growth
- Monitor application performance management dashboards for elevated GC pause times on instrumented services
How to Mitigate CVE-2026-54285
Immediate Actions Required
- Upgrade @opentelemetry/core and the broader opentelemetry-js packages to version 2.8.0 or later
- Identify transitive dependencies pulling in vulnerable versions and force-resolve them via package.json overrides or resolutions
- Apply reverse-proxy header-size limits as a compensating control until patching is complete
Patch Information
The maintainers released a fix in opentelemetry-js version 2.8.0. The patch enforces the W3C Baggage 8,192-byte and 180-entry limits inside W3CBaggagePropagator.extract(), matching behavior already present in inject(). Refer to the GitHub Security Advisory GHSA-8988-4f7v-96qf for full details.
Workarounds
- Configure upstream proxies, load balancers, or API gateways to reject baggage headers larger than 8,192 bytes
- Strip or sanitize untrusted baggage headers at the edge before they reach instrumented Node.js services
- Disable the W3C Baggage propagator on internet-facing services that do not require baggage propagation from external callers
# Example: upgrade to the fixed version
npm install @opentelemetry/core@^2.8.0
# Verify the resolved version in your dependency tree
npm ls @opentelemetry/core
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

