Vulnerability in Datadog .NET Tracer Affects Baggage Propagation
CVE-2026-50273

7.5HIGH

Key Information:

Vendor

Datadog

Vendor
CVE Published:
17 July 2026

What is CVE-2026-50273?

The vulnerability in Datadog .NET Tracer allows remote unauthenticated attackers to exploit unbounded parsing of incoming baggage HTTP headers. Before version 3.43.0, the library did not enforce limits on the maximum items or bytes for the baggage values, leading to potential CPU and memory overload where baggage propagation is enabled. This issue, now resolved in version 3.43.0, underscores the importance of input validation in preventing resource exhaustion attacks.

Affected Version(s)

dd-trace-dotnet < 3.43.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.