Memory Allocation Vulnerability in OpenTelemetry JavaScript Client
CVE-2026-54285

5.3MEDIUM

Key Information:

Vendor: Open-telemetry
Status: Opentelemetry-js
Vendor: CVE Published:; 22 June 2026

🔔 Create Open-telemetry Vulnerability Alert

What is CVE-2026-54285?

The OpenTelemetry JavaScript Client prior to version 2.8.0 contains a vulnerability in the W3CBaggagePropagator.extract() function. This issue arises because the function does not impose size limits when parsing inbound baggage HTTP headers, leading to potential memory consumption without restriction. The W3C Baggage specification suggests a maximum size of 8,192 bytes and allows for up to 180 entries, but these limits were only enforced during outbound processing. As a result, oversized baggage can lead to excessive memory usage, making applications susceptible to performance degradation and resource exhaustion. This issue has been addressed in version 2.8.0.

Affected Version(s)

opentelemetry-js < 2.8.0

References

https://github.com/open-telemetry/opentelemetry-js/securi...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54285 Data

JSON