RubySec

Providing security resources for the Ruby community

CVE-2026-50276 (datadog): dd-trace-rb - Improper parsing of W3C baggage headers may lead to DoS

dd-trace-rb - Improper parsing of W3C baggage headers may lead to DoS

Published: July 15, 2026

SECURITY IDENTIFIERS

GEM

datadog

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

>= 2.32.0

DESCRIPTION

Impact

Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) and DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) limits were applied only to baggage injection, not extraction. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs (or a single very large value). The tracer allocates a hash-map entry for each pair on every request, causing unbounded CPU and memory consumption and enabling a remote Denial of Service against any HTTP service that has the baggage propagation style enabled. The baggage propagation style is enabled by default in most affected tracers, so any internet-facing service that has been instrumented with an affected tracer version is exposed unless the propagation style has been explicitly narrowed.

RELATED