GHSA-vc29-vg52-6643: 
C# vulnerability analysis and mitigation

A vulnerability (CVE-2025-27513) was discovered in OpenTelemetry.Api package versions 1.10.0 to 1.11.1, which could cause a Denial of Service (DoS) when processing tracestate and traceparent headers. This vulnerability affects OpenTelemetry .NET Automatic Instrumentation versions 1.10.0-beta.1 and 1.10.0. The issue was disclosed on March 6, 2025, and has been assigned a high severity rating with a CVSS score of 7.5 (GitHub Advisory).

The vulnerability is triggered when processing HTTP requests containing tracestate and traceparent headers, causing excessive CPU usage even in applications that don't explicitly use trace context propagation. The issue has been classified with CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability is characterized by network attack vector, low attack complexity, no privileges required, and no user interaction needed, as indicated by the CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory, NVD).

The vulnerability affects any application accessible over the web or backend services that process HTTP requests containing a tracestate header. When exploited, applications may experience excessive resource consumption, leading to increased latency, degraded performance, or complete downtime (GitHub Advisory).

The issue has been resolved in OpenTelemetry.Api 1.11.2 by reverting the change that introduced the problematic behavior. OpenTelemetry .NET Automatic Instrumentation fixes it in version 1.11.0. To prevent accidental usage, the affected versions (1.10.0 to 1.11.1) have been delisted from NuGet. Users are advised to upgrade to the patched versions immediately (GitHub Advisory).