CVE-2026-50270
Java Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-50270 is a Denial of Service vulnerability in the Datadog dd-trace-java tracing library caused by improper parsing of W3C baggage HTTP headers. The library fails to enforce item-count or byte-size limits during baggage header extraction, allowing a remote, unauthenticated attacker to trigger unbounded CPU and memory consumption. All versions of com.datadoghq:dd-java-agent prior to 1.62.0 are affected. The advisory was originally published on June 5, 2026, and added to the GitHub Advisory Database on July 15, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, DataDog Advisory).

Détails techniques

The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The existing limits DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) and DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) were only applied to baggage injection (outbound), not extraction (inbound parsing). An attacker exploits this by sending HTTP requests with a crafted baggage header containing an arbitrarily large number of comma-separated key-value pairs or a single oversized value; the tracer allocates a hash-map entry for each pair on every request without any cap, exhausting server resources. No authentication or special privileges are required, and the baggage propagation style is enabled by default in affected tracers, making the attack surface broad (GitHub Advisory, DataDog Advisory).

Impact

Successful exploitation causes unbounded CPU and memory consumption on the targeted Java service, resulting in a complete availability impact (Denial of Service). There is no confidentiality or integrity impact — the vulnerability cannot be used to access or modify data. Any internet-facing HTTP service instrumented with an affected version of dd-trace-java and using the default propagation configuration is exposed, potentially rendering the service unresponsive to legitimate traffic (GitHub Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing HTTP services instrumented with Datadog dd-trace-java versions prior to 1.62.0. This may be inferred from response headers, error messages, or service metadata.
  2. Craft malicious baggage header: Construct an HTTP request with a baggage header containing an extremely large number of comma-separated key-value pairs (e.g., key1=val1,key2=val2,...,keyN=valN with thousands of entries) or a single key-value pair with a very large value exceeding normal bounds.
  3. Send requests to target: Repeatedly send the crafted HTTP requests to any endpoint of the target service. No authentication is required.
  4. Trigger resource exhaustion: Each request causes the tracer to allocate hash-map entries for every baggage pair without limit, progressively consuming CPU and memory until the service becomes unresponsive or crashes (GitHub Advisory, DataDog Advisory).

Indicateurs de compromis

  • Network: Repeated HTTP requests to service endpoints containing abnormally large or numerous baggage header values (e.g., headers exceeding 8 KB or containing hundreds of comma-separated key-value pairs).
  • Logs: Web server or proxy access logs showing requests with oversized baggage headers from one or more source IPs; application logs showing Java OutOfMemoryError or GC overhead limit exceeded errors.
  • Process: Sudden spike in JVM heap usage or CPU utilization on the instrumented Java service correlating with incoming HTTP traffic; JVM garbage collection logs showing continuous full GC cycles without memory recovery.

Atténuation et solutions de contournement

Upgrade com.datadoghq:dd-java-agent to version 1.62.0 or later, which enforces item-count and byte-size limits on baggage header extraction as well as injection (GitHub Advisory). If an immediate upgrade is not possible, apply one or both of the following workarounds:

  • Disable baggage extraction: Remove baggage from the DD_TRACE_PROPAGATION_STYLE environment variable (or DD_TRACE_PROPAGATION_STYLE_EXTRACT if configured independently).
  • Cap HTTP request header size at the proxy/web server layer: Use LimitRequestFieldSize in Apache, large_client_header_buffers in Nginx, or max_request_headers_kb in Envoy to restrict the maximum size of incoming headers (DataDog Advisory).

Réactions de la communauté

The advisory references related upstream vulnerabilities in OpenTelemetry libraries (opentelemetry-go GHSA-mh2q-q3fh-2475 and opentelemetry-dotnet GHSA-g94r-2vxg-569j), suggesting this is a broader pattern affecting W3C baggage propagation implementations across multiple tracing ecosystems. No notable public researcher commentary or significant social media discussion has been identified beyond the official advisory (GitHub Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Java Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-50270HIGH7.5
  • Java logoJava
  • com.datadoghq:dd-java-agent
NonOuiJul 15, 2026
CVE-2026-59955HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026
CVE-2026-59954HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonNonJul 15, 2026
CVE-2026-44891HIGH7.5
  • Java logoJava
  • pinot
NonOuiJul 14, 2026
CVE-2025-32781MEDIUM6.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités