Denial of Service Vulnerability in Datadog APM Client for Node.js
CVE-2026-50272

7.5HIGH

Key Information:

Vendor

Datadog

Vendor
CVE Published:
17 July 2026

What is CVE-2026-50272?

The Datadog APM client for Node.js, known as dd-trace, contains a vulnerability prior to version 5.100.0 that allows an unauthenticated remote attacker to exploit W3C baggage propagation. This is achieved through incoming HTTP headers that can include an excess of comma-separated key-value pairs or a single oversized value. The absence of restrictions on the maximum number of items or total byte size can lead to significant CPU and memory resource consumption, resulting in a denial of service scenario for any HTTP service that utilizes baggage propagation. This vulnerability has been addressed in version 5.100.0.

Affected Version(s)

dd-trace-js < 5.100.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.