dd-trace-rb - Improper parsing of W3C baggage headers may lead to DoS
Published: July 15, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-50276 (NVD)
- GHSA: GHSA-p5f6-rccc-jv98
GEM
SEVERITY
CVSS v3.x: 7.5 (High)
PATCHED VERSIONS
>= 2.32.0
DESCRIPTION
Impact
Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) and DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) limits were applied only to baggage injection, not extraction. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs (or a single very large value). The tracer allocates a hash-map entry for each pair on every request, causing unbounded CPU and memory consumption and enabling a remote Denial of Service against any HTTP service that has the baggage propagation style enabled. The baggage propagation style is enabled by default in most affected tracers, so any internet-facing service that has been instrumented with an affected tracer version is exposed unless the propagation style has been explicitly narrowed.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-50276
- https://nvd.nist.gov/vuln/detail/CVE-2026-50276
- https://rubygems.org/gems/datadog/versions/2.32.0
- https://github.com/DataDog/dd-trace-rb/blob/master/CHANGELOG.md#2320---2026-05-08
- https://advisories.gitlab.com/gem/datadog/CVE-2026-50276
- https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j
- https://github.com/DataDog/dd-trace-rb/security/advisories/GHSA-p5f6-rccc-jv98
- https://github.com/advisories/GHSA-p5f6-rccc-jv98
