CVE-2026-50271
Python Schwachstellenanalyse und -minderung

Überblick

CVE-2026-50271 is a Denial of Service vulnerability in the Datadog dd-trace-py tracing library caused by improper parsing of W3C baggage HTTP headers. The library fails to enforce item-count or byte-size limits during baggage header extraction, allowing a remote, unauthenticated attacker to trigger unbounded CPU and memory consumption. All versions of ddtrace (pip) prior to 4.8.2 are affected. The vulnerability was originally published on June 5, 2026, and added to the GitHub Advisory Database on July 15, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, DataDog Advisory).

Technische Details

The root cause is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The existing limits DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) and DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) were only applied to baggage injection (outbound), not extraction (inbound parsing). An attacker exploits this by crafting an HTTP request with a baggage header containing an arbitrarily large number of comma-separated key-value pairs, or a single extremely large value; the tracer allocates a hash-map entry for each pair on every request without bound. Because baggage propagation is enabled by default in most affected tracer configurations, no authentication or special privileges are required to trigger the condition (GitHub Advisory, DataDog Advisory).

Aufprall

Successful exploitation causes unbounded CPU and memory consumption on any HTTP service instrumented with an affected dd-trace-py version, resulting in service degradation or complete unavailability (Denial of Service). There is no impact on confidentiality or data integrity — the vulnerability is purely an availability issue. Because baggage propagation is enabled by default, any internet-facing Python service using an affected tracer version is exposed without additional configuration changes (GitHub Advisory).

Ausnutzungsschritte

  1. Reconnaissance: Identify internet-facing HTTP services instrumented with Datadog dd-trace-py versions prior to 4.8.2, using service fingerprinting or by observing Datadog-specific response headers/behaviors.
  2. Craft malicious baggage header: Construct an HTTP request with an oversized baggage header — either containing thousands of comma-separated key=value pairs (e.g., baggage: k1=v1,k2=v2,...,kN=vN with N far exceeding 64) or a single key-value pair with an extremely large value exceeding 8192 bytes.
  3. Send repeated requests: Transmit the crafted requests to any HTTP endpoint of the target service. Each request causes the tracer to allocate hash-map entries for every baggage item without limit.
  4. Trigger resource exhaustion: Sustained sending of such requests causes unbounded CPU and memory consumption on the target server, leading to service degradation or crash (GitHub Advisory, DataDog Advisory).

Indikatoren für Kompromittierung

  • Network: Incoming HTTP requests containing abnormally large baggage headers (exceeding 8 KB) or headers with an unusually high number of comma-separated key-value pairs (exceeding 64 items); repeated requests from the same source IP targeting any endpoint.
  • Logs: Web server or proxy access logs showing requests with oversized baggage header values; application logs showing memory allocation errors or out-of-memory exceptions in the Python process.
  • Process: Sudden spike in CPU and memory usage of the Python application process correlating with incoming HTTP traffic; process restarts or OOM-killer events in system logs (/var/log/syslog or dmesg) attributable to the instrumented service.

Risikominderung und Problemumgehungen

Upgrade ddtrace to version 4.8.2 or later, which enforces item-count and byte-size limits on baggage header extraction as well as injection. If an immediate upgrade is not possible, disable baggage extraction by removing baggage from the DD_TRACE_PROPAGATION_STYLE environment variable (or DD_TRACE_PROPAGATION_STYLE_EXTRACT if set independently). Additionally, cap the maximum HTTP request header size at an upstream proxy or web server — for example, using Apache's LimitRequestFieldSize, Nginx's large_client_header_buffers, or Envoy's max_request_headers_kb directives (GitHub Advisory, DataDog Advisory).

Reaktionen der Community

The advisory references related upstream vulnerabilities in other OpenTelemetry tracing libraries — specifically opentelemetry-go (GHSA-mh2q-q3fh-2475) and opentelemetry-dotnet (GHSA-g94r-2vxg-569j) — indicating this is a broader pattern of missing extraction-side limits in W3C baggage implementations across the observability ecosystem (GitHub Advisory). No significant social media commentary or media coverage has been identified beyond the official advisory.

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt Python Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

GHSA-r3hx-x5rh-p9vvHIGH8.7
  • Python logoPython
  • django-haystack
NeinJaJul 15, 2026
CVE-2026-54457HIGH7.7
  • Python logoPython
  • tensorzero
NeinJaJul 15, 2026
CVE-2026-50271HIGH7.5
  • Python logoPython
  • ddtrace
NeinJaJul 15, 2026
CVE-2026-54254MEDIUM6.9
  • Python logoPython
  • cyberdrop-dl-patched
NeinJaJul 15, 2026
CVE-2026-53656MEDIUM6.3
  • Python logoPython
  • fiftyone
NeinJaJul 15, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement