CVE-2026-50270
Java Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-50270 is a Denial of Service vulnerability in the Datadog dd-trace-java tracing library caused by improper parsing of W3C baggage HTTP headers. The library fails to enforce item-count or byte-size limits during baggage header extraction, allowing a remote, unauthenticated attacker to trigger unbounded CPU and memory consumption. All versions of com.datadoghq:dd-java-agent prior to 1.62.0 are affected. The advisory was originally published on June 5, 2026, and added to the GitHub Advisory Database on July 15, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, DataDog Advisory).

Técnicas

The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The existing limits DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) and DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) were only applied to baggage injection (outbound), not extraction (inbound parsing). An attacker exploits this by sending HTTP requests with a crafted baggage header containing an arbitrarily large number of comma-separated key-value pairs or a single oversized value; the tracer allocates a hash-map entry for each pair on every request without any cap, exhausting server resources. No authentication or special privileges are required, and the baggage propagation style is enabled by default in affected tracers, making the attack surface broad (GitHub Advisory, DataDog Advisory).

Impacto

Successful exploitation causes unbounded CPU and memory consumption on the targeted Java service, resulting in a complete availability impact (Denial of Service). There is no confidentiality or integrity impact — the vulnerability cannot be used to access or modify data. Any internet-facing HTTP service instrumented with an affected version of dd-trace-java and using the default propagation configuration is exposed, potentially rendering the service unresponsive to legitimate traffic (GitHub Advisory).

Pasos de explotación

  1. Reconnaissance: Identify internet-facing HTTP services instrumented with Datadog dd-trace-java versions prior to 1.62.0. This may be inferred from response headers, error messages, or service metadata.
  2. Craft malicious baggage header: Construct an HTTP request with a baggage header containing an extremely large number of comma-separated key-value pairs (e.g., key1=val1,key2=val2,...,keyN=valN with thousands of entries) or a single key-value pair with a very large value exceeding normal bounds.
  3. Send requests to target: Repeatedly send the crafted HTTP requests to any endpoint of the target service. No authentication is required.
  4. Trigger resource exhaustion: Each request causes the tracer to allocate hash-map entries for every baggage pair without limit, progressively consuming CPU and memory until the service becomes unresponsive or crashes (GitHub Advisory, DataDog Advisory).

Indicadores de compromiso

  • Network: Repeated HTTP requests to service endpoints containing abnormally large or numerous baggage header values (e.g., headers exceeding 8 KB or containing hundreds of comma-separated key-value pairs).
  • Logs: Web server or proxy access logs showing requests with oversized baggage headers from one or more source IPs; application logs showing Java OutOfMemoryError or GC overhead limit exceeded errors.
  • Process: Sudden spike in JVM heap usage or CPU utilization on the instrumented Java service correlating with incoming HTTP traffic; JVM garbage collection logs showing continuous full GC cycles without memory recovery.

Mitigación y soluciones alternativas

Upgrade com.datadoghq:dd-java-agent to version 1.62.0 or later, which enforces item-count and byte-size limits on baggage header extraction as well as injection (GitHub Advisory). If an immediate upgrade is not possible, apply one or both of the following workarounds:

  • Disable baggage extraction: Remove baggage from the DD_TRACE_PROPAGATION_STYLE environment variable (or DD_TRACE_PROPAGATION_STYLE_EXTRACT if configured independently).
  • Cap HTTP request header size at the proxy/web server layer: Use LimitRequestFieldSize in Apache, large_client_header_buffers in Nginx, or max_request_headers_kb in Envoy to restrict the maximum size of incoming headers (DataDog Advisory).

Reacciones de la comunidad

The advisory references related upstream vulnerabilities in OpenTelemetry libraries (opentelemetry-go GHSA-mh2q-q3fh-2475 and opentelemetry-dotnet GHSA-g94r-2vxg-569j), suggesting this is a broader pattern affecting W3C baggage propagation implementations across multiple tracing ecosystems. No notable public researcher commentary or significant social media discussion has been identified beyond the official advisory (GitHub Advisory).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Java Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-50270HIGH7.5
  • Java logoJava
  • com.datadoghq:dd-java-agent
NoJul 15, 2026
CVE-2026-59955HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoJul 15, 2026
CVE-2026-59954HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoNoJul 15, 2026
CVE-2026-44891HIGH7.5
  • Java logoJava
  • pinot
NoJul 14, 2026
CVE-2025-32781MEDIUM6.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoJul 15, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades