Denial of Service Vulnerability in Datadog APM Client for Node.js
CVE-2026-50272
7.5HIGH
What is CVE-2026-50272?
The Datadog APM client for Node.js, known as dd-trace, contains a vulnerability prior to version 5.100.0 that allows an unauthenticated remote attacker to exploit W3C baggage propagation. This is achieved through incoming HTTP headers that can include an excess of comma-separated key-value pairs or a single oversized value. The absence of restrictions on the maximum number of items or total byte size can lead to significant CPU and memory resource consumption, resulting in a denial of service scenario for any HTTP service that utilizes baggage propagation. This vulnerability has been addressed in version 5.100.0.
Affected Version(s)
dd-trace-js < 5.100.0
