
PEACH
Un cadre d’isolation des locataires
CVE-2026-50270 is a Denial of Service vulnerability in the Datadog dd-trace-java tracing library caused by improper parsing of W3C baggage HTTP headers. The library fails to enforce item-count or byte-size limits during baggage header extraction, allowing a remote, unauthenticated attacker to trigger unbounded CPU and memory consumption. All versions of com.datadoghq:dd-java-agent prior to 1.62.0 are affected. The advisory was originally published on June 5, 2026, and added to the GitHub Advisory Database on July 15, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, DataDog Advisory).
The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The existing limits DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) and DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) were only applied to baggage injection (outbound), not extraction (inbound parsing). An attacker exploits this by sending HTTP requests with a crafted baggage header containing an arbitrarily large number of comma-separated key-value pairs or a single oversized value; the tracer allocates a hash-map entry for each pair on every request without any cap, exhausting server resources. No authentication or special privileges are required, and the baggage propagation style is enabled by default in affected tracers, making the attack surface broad (GitHub Advisory, DataDog Advisory).
Successful exploitation causes unbounded CPU and memory consumption on the targeted Java service, resulting in a complete availability impact (Denial of Service). There is no confidentiality or integrity impact — the vulnerability cannot be used to access or modify data. Any internet-facing HTTP service instrumented with an affected version of dd-trace-java and using the default propagation configuration is exposed, potentially rendering the service unresponsive to legitimate traffic (GitHub Advisory).
dd-trace-java versions prior to 1.62.0. This may be inferred from response headers, error messages, or service metadata.baggage header containing an extremely large number of comma-separated key-value pairs (e.g., key1=val1,key2=val2,...,keyN=valN with thousands of entries) or a single key-value pair with a very large value exceeding normal bounds.baggage header values (e.g., headers exceeding 8 KB or containing hundreds of comma-separated key-value pairs).baggage headers from one or more source IPs; application logs showing Java OutOfMemoryError or GC overhead limit exceeded errors.Upgrade com.datadoghq:dd-java-agent to version 1.62.0 or later, which enforces item-count and byte-size limits on baggage header extraction as well as injection (GitHub Advisory). If an immediate upgrade is not possible, apply one or both of the following workarounds:
baggage from the DD_TRACE_PROPAGATION_STYLE environment variable (or DD_TRACE_PROPAGATION_STYLE_EXTRACT if configured independently).LimitRequestFieldSize in Apache, large_client_header_buffers in Nginx, or max_request_headers_kb in Envoy to restrict the maximum size of incoming headers (DataDog Advisory).The advisory references related upstream vulnerabilities in OpenTelemetry libraries (opentelemetry-go GHSA-mh2q-q3fh-2475 and opentelemetry-dotnet GHSA-g94r-2vxg-569j), suggesting this is a broader pattern affecting W3C baggage propagation implementations across multiple tracing ecosystems. No notable public researcher commentary or significant social media discussion has been identified beyond the official advisory (GitHub Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."