CVE-2026-50272
JavaScript Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-50272 is a Denial of Service vulnerability in the Datadog dd-trace-js tracing library caused by improper parsing of W3C baggage HTTP headers. Affected versions of dd-trace (npm) prior to 5.100.0 fail to enforce item-count or byte-size limits during baggage header extraction, allowing a remote, unauthenticated attacker to trigger unbounded CPU and memory consumption. The vulnerability was originally published on June 5, 2026, and added to the GitHub Advisory Database on July 15, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory).

Détails techniques

The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The dd-trace-js library implements W3C baggage propagation and applies size limits (DD_TRACE_BAGGAGE_MAX_ITEMS, default 64; DD_TRACE_BAGGAGE_MAX_BYTES, default 8192) only during baggage injection, not during extraction. An attacker can craft an HTTP request with a baggage header containing an arbitrarily large number of comma-separated key-value pairs or a single oversized value; the tracer allocates a hash-map entry for each pair on every request without any cap, exhausting CPU and memory. Because baggage propagation is enabled by default in affected tracer versions, any internet-facing service instrumented with a vulnerable version is exposed without additional configuration (GitHub Advisory, DataDog Advisory).

Impact

Successful exploitation causes unbounded CPU and memory consumption on the host running the instrumented Node.js service, resulting in a complete availability impact (High) with no confidentiality or integrity impact. Any internet-facing HTTP service instrumented with an affected dd-trace version and using the default propagation configuration is vulnerable to remote Denial of Service without authentication. Sustained attacks could render the service entirely unresponsive, potentially cascading to dependent microservices in distributed architectures (GitHub Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing HTTP services instrumented with Datadog dd-trace-js versions prior to 5.100.0, which can sometimes be inferred from response headers or error messages referencing Datadog tracing.
  2. Craft malicious baggage header: Construct an HTTP request with a baggage header containing an extremely large number of comma-separated key-value pairs (e.g., key1=val1,key2=val2,...,keyN=valN with thousands of entries) or a single key-value pair with a very large value string.
  3. Send requests to target: Repeatedly send the crafted HTTP requests to any endpoint of the target service. Each request causes the tracer to allocate hash-map entries for every baggage pair without limit.
  4. Trigger resource exhaustion: The accumulation of unbounded allocations per request causes CPU and memory to spike, eventually degrading or crashing the service and achieving Denial of Service (GitHub Advisory, DataDog Advisory).

Indicateurs de compromis

  • Network: Incoming HTTP requests with abnormally large or complex baggage headers (e.g., headers exceeding 8 KB or containing hundreds of comma-separated key-value pairs); high request rates from a single or distributed source targeting any HTTP endpoint.
  • Logs: Web server or proxy access logs showing requests with oversized baggage header values; application logs showing repeated out-of-memory errors or garbage collection pressure in the Node.js process.
  • Process: Node.js process exhibiting sustained high CPU usage or rapidly growing memory consumption correlated with incoming HTTP traffic; process crashes or restarts triggered by memory exhaustion.

Atténuation et solutions de contournement

Upgrade dd-trace (npm) to version 5.100.0 or later, which enforces item-count and byte-size limits on baggage header extraction as well as injection (GitHub Advisory). If an immediate upgrade is not possible, disable baggage extraction by removing baggage from the DD_TRACE_PROPAGATION_STYLE environment variable (or DD_TRACE_PROPAGATION_STYLE_EXTRACT if set independently). As an additional network-layer control, cap the maximum HTTP request header size at an upstream proxy or web server — for example, using Apache LimitRequestFieldSize, Nginx large_client_header_buffers, or Envoy max_request_headers_kb (DataDog Advisory).

Réactions de la communauté

The advisory notes that this class of vulnerability also affects related OpenTelemetry libraries, with upstream advisories published for opentelemetry-go (GHSA-mh2q-q3fh-2475) and opentelemetry-dotnet (GHSA-g94r-2vxg-569j), indicating a broader ecosystem concern with W3C baggage header parsing (DataDog Advisory). No significant public researcher commentary or media coverage beyond the official advisory has been identified at this time.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté JavaScript Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54504HIGH8.8
  • JavaScript logoJavaScript
  • @andrea9293/mcp-documentation-server
NonOuiJul 15, 2026
CVE-2026-50289HIGH8.7
  • JavaScript logoJavaScript
  • systeminformation
NonOuiJul 15, 2026
CVE-2026-48795HIGH8.6
  • JavaScript logoJavaScript
  • @adonisjs/bodyparser
NonOuiJul 15, 2026
CVE-2026-50272HIGH7.5
  • JavaScript logoJavaScript
  • dd-trace
NonOuiJul 15, 2026
CVE-2026-54490MEDIUM6.3
  • JavaScript logoJavaScript
  • websocket-driver
NonOuiJul 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités