Resource Consumption Vulnerability in OpenTelemetry Rust SDK by OpenTelemetry
CVE-2026-48504
5.3MEDIUM
What is CVE-2026-48504?
The OpenTelemetry Rust SDK, specifically in version 0.32.0 and earlier, introduces a vulnerability in the BaggagePropagator::extract_with_context function. This function neglects to enforce W3C Baggage size limits prior to parsing inbound baggage headers. As a result, an attacker can exploit this oversight by sending large, controlled baggage headers, leading to excessive CPU processing and short-lived heap allocations as the SDK attempts to process these oversized headers. Services that handle untrusted incoming propagation headers are particularly vulnerable, experiencing increased resource usage per request when processing such headers. This issue has been remedied in version 0.32.1.
Affected Version(s)
opentelemetry-rust < 0.32.1
