Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54285

CVE-2026-54285: OpenTelemetry JavaScript Client DoS Flaw

CVE-2026-54285 is a denial of service vulnerability in OpenTelemetry JavaScript Client that allows uncapped memory allocation through oversized baggage headers. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-54285 Overview

CVE-2026-54285 affects opentelemetry-js, the OpenTelemetry JavaScript Client. The W3CBaggagePropagator.extract() function in @opentelemetry/core fails to enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries. These limits were applied only on the outbound inject() path, not on inbound extract() calls. Parsing oversized baggage triggers memory allocation proportional to header size with no cap. This issue is fixed in version 2.8.0 and is categorized under [CWE-770] Allocation of Resources Without Limits or Throttling.

Critical Impact

Remote attackers can send oversized baggage HTTP headers to trigger unbounded memory allocation, leading to a denial-of-service condition in services using vulnerable versions of @opentelemetry/core.

Affected Products

  • opentelemetry-js (@opentelemetry/core) versions prior to 2.8.0
  • Node.js services consuming inbound W3C Baggage headers via OpenTelemetry instrumentation
  • Downstream applications relying on vulnerable @opentelemetry/core as a transitive dependency

Discovery Timeline

  • 2026-06-22 - CVE-2026-54285 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-54285

Vulnerability Analysis

The vulnerability resides in the W3CBaggagePropagator.extract() implementation in @opentelemetry/core. The W3C Baggage specification defines upper bounds of 8,192 bytes per header and 180 distinct entries. The OpenTelemetry JavaScript library enforced these bounds only when serializing baggage for outbound propagation via inject(). Inbound parsing applied no equivalent checks.

When a service processes an incoming HTTP request, the propagator reads the baggage header and constructs in-memory entries proportional to the header content. An attacker controlling the header can submit payloads far exceeding the recommended limits. The parser allocates string and object structures for each comma-delimited entry without short-circuiting on cumulative size.

The result is availability impact on the receiving Node.js process. Repeated oversized requests amplify allocation pressure, increasing garbage collection cost and potentially exhausting heap memory.

Root Cause

The root cause is asymmetric enforcement of specification limits between inject and extract paths [CWE-770]. The extract logic iterated header content without validating total byte count or entry count before allocation. No throttling or early-termination guard existed for malformed or oversized inputs.

Attack Vector

Exploitation requires only network access to a service that processes inbound W3C Baggage headers. No authentication or user interaction is needed. An attacker sends HTTP requests containing a baggage header far exceeding 8,192 bytes or 180 entries. The targeted process allocates memory in proportion to the supplied payload. Sustained or concurrent requests degrade service responsiveness or crash the process.

// No verified exploit code is available. See the GitHub Security Advisory
// (GHSA-8988-4f7v-96qf) for technical details on the parsing flaw.

Detection Methods for CVE-2026-54285

Indicators of Compromise

  • Inbound HTTP requests containing baggage headers exceeding 8,192 bytes
  • Requests with baggage headers containing more than 180 comma-delimited entries
  • Unexplained spikes in Node.js heap usage or garbage collection cycles correlated with HTTP ingress
  • Process restarts or out-of-memory errors in services running @opentelemetry/core versions earlier than 2.8.0

Detection Strategies

  • Inspect HTTP access logs and reverse-proxy telemetry for oversized baggage request headers
  • Audit application dependencies for @opentelemetry/core versions below 2.8.0 using npm ls or software composition analysis
  • Correlate memory pressure metrics with request patterns targeting OpenTelemetry-instrumented endpoints

Monitoring Recommendations

  • Add header-size thresholds to web application firewall or reverse-proxy rules and alert on violations
  • Track Node.js heap and resident set size metrics with alerting on sudden growth
  • Monitor application performance management dashboards for elevated GC pause times on instrumented services

How to Mitigate CVE-2026-54285

Immediate Actions Required

  • Upgrade @opentelemetry/core and the broader opentelemetry-js packages to version 2.8.0 or later
  • Identify transitive dependencies pulling in vulnerable versions and force-resolve them via package.json overrides or resolutions
  • Apply reverse-proxy header-size limits as a compensating control until patching is complete

Patch Information

The maintainers released a fix in opentelemetry-js version 2.8.0. The patch enforces the W3C Baggage 8,192-byte and 180-entry limits inside W3CBaggagePropagator.extract(), matching behavior already present in inject(). Refer to the GitHub Security Advisory GHSA-8988-4f7v-96qf for full details.

Workarounds

  • Configure upstream proxies, load balancers, or API gateways to reject baggage headers larger than 8,192 bytes
  • Strip or sanitize untrusted baggage headers at the edge before they reach instrumented Node.js services
  • Disable the W3C Baggage propagator on internet-facing services that do not require baggage propagation from external callers
bash
# Example: upgrade to the fixed version
npm install @opentelemetry/core@^2.8.0

# Verify the resolved version in your dependency tree
npm ls @opentelemetry/core

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.