CVE-2026-50270:
Java Análisis y mitigación de vulnerabilidades
Vista general
CVE-2026-50270 is a Denial of Service vulnerability in the Datadog dd-trace-java tracing library caused by improper parsing of W3C baggage HTTP headers. The library fails to enforce item-count or byte-size limits during baggage header extraction, allowing a remote, unauthenticated attacker to trigger unbounded CPU and memory consumption. All versions of com.datadoghq:dd-java-agent prior to 1.62.0 are affected. The advisory was originally published on June 5, 2026, and added to the GitHub Advisory Database on July 15, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, DataDog Advisory).
Técnicas
The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The existing limits DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) and DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) were only applied to baggage injection (outbound), not extraction (inbound parsing). An attacker exploits this by sending HTTP requests with a crafted baggage header containing an arbitrarily large number of comma-separated key-value pairs or a single oversized value; the tracer allocates a hash-map entry for each pair on every request without any cap, exhausting server resources. No authentication or special privileges are required, and the baggage propagation style is enabled by default in affected tracers, making the attack surface broad (GitHub Advisory, DataDog Advisory).
Impacto
Successful exploitation causes unbounded CPU and memory consumption on the targeted Java service, resulting in a complete availability impact (Denial of Service). There is no confidentiality or integrity impact — the vulnerability cannot be used to access or modify data. Any internet-facing HTTP service instrumented with an affected version of dd-trace-java and using the default propagation configuration is exposed, potentially rendering the service unresponsive to legitimate traffic (GitHub Advisory).
Pasos de explotación
- Reconnaissance: Identify internet-facing HTTP services instrumented with Datadog
dd-trace-javaversions prior to 1.62.0. This may be inferred from response headers, error messages, or service metadata. - Craft malicious baggage header: Construct an HTTP request with a
baggageheader containing an extremely large number of comma-separated key-value pairs (e.g.,key1=val1,key2=val2,...,keyN=valNwith thousands of entries) or a single key-value pair with a very large value exceeding normal bounds. - Send requests to target: Repeatedly send the crafted HTTP requests to any endpoint of the target service. No authentication is required.
- Trigger resource exhaustion: Each request causes the tracer to allocate hash-map entries for every baggage pair without limit, progressively consuming CPU and memory until the service becomes unresponsive or crashes (GitHub Advisory, DataDog Advisory).
Indicadores de compromiso
- Network: Repeated HTTP requests to service endpoints containing abnormally large or numerous
baggageheader values (e.g., headers exceeding 8 KB or containing hundreds of comma-separated key-value pairs). - Logs: Web server or proxy access logs showing requests with oversized
baggageheaders from one or more source IPs; application logs showing JavaOutOfMemoryErroror GC overhead limit exceeded errors. - Process: Sudden spike in JVM heap usage or CPU utilization on the instrumented Java service correlating with incoming HTTP traffic; JVM garbage collection logs showing continuous full GC cycles without memory recovery.
Mitigación y soluciones alternativas
Upgrade com.datadoghq:dd-java-agent to version 1.62.0 or later, which enforces item-count and byte-size limits on baggage header extraction as well as injection (GitHub Advisory). If an immediate upgrade is not possible, apply one or both of the following workarounds:
- Disable baggage extraction: Remove
baggagefrom theDD_TRACE_PROPAGATION_STYLEenvironment variable (orDD_TRACE_PROPAGATION_STYLE_EXTRACTif configured independently). - Cap HTTP request header size at the proxy/web server layer: Use
LimitRequestFieldSizein Apache,large_client_header_buffersin Nginx, ormax_request_headers_kbin Envoy to restrict the maximum size of incoming headers (DataDog Advisory).
Reacciones de la comunidad
The advisory references related upstream vulnerabilities in OpenTelemetry libraries (opentelemetry-go GHSA-mh2q-q3fh-2475 and opentelemetry-dotnet GHSA-g94r-2vxg-569j), suggesting this is a broader pattern affecting W3C baggage propagation implementations across multiple tracing ecosystems. No notable public researcher commentary or significant social media discussion has been identified beyond the official advisory (GitHub Advisory).
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado Java Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."