
PEACH
Un cadre d’isolation des locataires
CVE-2026-50272 is a Denial of Service vulnerability in the Datadog dd-trace-js tracing library caused by improper parsing of W3C baggage HTTP headers. Affected versions of dd-trace (npm) prior to 5.100.0 fail to enforce item-count or byte-size limits during baggage header extraction, allowing a remote, unauthenticated attacker to trigger unbounded CPU and memory consumption. The vulnerability was originally published on June 5, 2026, and added to the GitHub Advisory Database on July 15, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory).
The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The dd-trace-js library implements W3C baggage propagation and applies size limits (DD_TRACE_BAGGAGE_MAX_ITEMS, default 64; DD_TRACE_BAGGAGE_MAX_BYTES, default 8192) only during baggage injection, not during extraction. An attacker can craft an HTTP request with a baggage header containing an arbitrarily large number of comma-separated key-value pairs or a single oversized value; the tracer allocates a hash-map entry for each pair on every request without any cap, exhausting CPU and memory. Because baggage propagation is enabled by default in affected tracer versions, any internet-facing service instrumented with a vulnerable version is exposed without additional configuration (GitHub Advisory, DataDog Advisory).
Successful exploitation causes unbounded CPU and memory consumption on the host running the instrumented Node.js service, resulting in a complete availability impact (High) with no confidentiality or integrity impact. Any internet-facing HTTP service instrumented with an affected dd-trace version and using the default propagation configuration is vulnerable to remote Denial of Service without authentication. Sustained attacks could render the service entirely unresponsive, potentially cascading to dependent microservices in distributed architectures (GitHub Advisory).
dd-trace-js versions prior to 5.100.0, which can sometimes be inferred from response headers or error messages referencing Datadog tracing.baggage header containing an extremely large number of comma-separated key-value pairs (e.g., key1=val1,key2=val2,...,keyN=valN with thousands of entries) or a single key-value pair with a very large value string.baggage headers (e.g., headers exceeding 8 KB or containing hundreds of comma-separated key-value pairs); high request rates from a single or distributed source targeting any HTTP endpoint.baggage header values; application logs showing repeated out-of-memory errors or garbage collection pressure in the Node.js process.Upgrade dd-trace (npm) to version 5.100.0 or later, which enforces item-count and byte-size limits on baggage header extraction as well as injection (GitHub Advisory). If an immediate upgrade is not possible, disable baggage extraction by removing baggage from the DD_TRACE_PROPAGATION_STYLE environment variable (or DD_TRACE_PROPAGATION_STYLE_EXTRACT if set independently). As an additional network-layer control, cap the maximum HTTP request header size at an upstream proxy or web server — for example, using Apache LimitRequestFieldSize, Nginx large_client_header_buffers, or Envoy max_request_headers_kb (DataDog Advisory).
The advisory notes that this class of vulnerability also affects related OpenTelemetry libraries, with upstream advisories published for opentelemetry-go (GHSA-mh2q-q3fh-2475) and opentelemetry-dotnet (GHSA-g94r-2vxg-569j), indicating a broader ecosystem concern with W3C baggage header parsing (DataDog Advisory). No significant public researcher commentary or media coverage beyond the official advisory has been identified at this time.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."