GHSA-8785-wc3w-h8q6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8785-wc3w-h8q6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-8785-wc3w-h8q6/GHSA-8785-wc3w-h8q6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8785-wc3w-h8q6
- Aliases
- Related
- Published
- 2025-03-05T18:15:22Z
- Modified
- 2025-03-05T22:10:36.202476Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package
- Details
-
Impact
What kind of vulnerability is it? Who is impacted?
A vulnerability in
OpenTelemetry.Apipackage1.10.0to1.11.1could cause a Denial of Service (DoS) when atracestateandtraceparentheader is received.- Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.
- This issue impacts any application accessible over the web or backend services that process HTTP requests containing a
tracestateheader. - Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.
Patches
Has the problem been patched? What versions should users upgrade to?
This issue has been <strong data-start="1143" data-end="1184">resolved in OpenTelemetry.Api 1.11.2</strong> by <strong data-start="1188" data-end="1212">reverting the change</strong> that introduced the problematic behavior in versions <strong data-start="1266" data-end="1286">1.10.0 to 1.11.1</strong>.</li><li data-start="1290" data-end="1409">The fix ensures that <strong data-start="1313" data-end="1380">valid tracing headers no longer cause excessive CPU consumption</strong> when received in requests.</li></ul><h4 data-start="1411" data-end="1434"><strong data-start="1416" data-end="1434">Fixed Version:</strong></h4> OpenTelemetry .NET Version | Status -- | -- <= 1.9.x | ✅ Not affected 1.10.0 - 1.11.1 | ❌ Vulnerable 1.11.2 (Fixed) | ✅ Safe to use
Upgrade Command:
dotnet add package OpenTelemetry --version 1.11.2Delisting of Affected Packages To prevent accidental usage, we have delisted the affected versions (1.10.0 to 1.11.1) from NuGet. Users should avoid these versions and upgrade to 1.11.2 immediately.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
- Database specific
{ "nvd_published_at": "2025-03-05T19:15:39Z", "cwe_ids": [ "CWE-770" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-05T18:15:22Z" }- References
-
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6
- https://nvd.nist.gov/vuln/detail/CVE-2025-27513
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/6161
- https://github.com/open-telemetry/opentelemetry-dotnet/commit/1b555c1201413f2f55f2cd3c4ba03ef4b615b6b5
- https://github.com/open-telemetry/opentelemetry-dotnet
Affected packages
NuGet / OpenTelemetry.Api
Package
- Name
- OpenTelemetry.Api
- View open source insights on deps.dev
- Purl
- pkg:nuget/OpenTelemetry.Api
NuGet / OpenTelemetry.Api
Package
- Name
- OpenTelemetry.Api
- View open source insights on deps.dev
- Purl
- pkg:nuget/OpenTelemetry.Api
NuGet / OpenTelemetry.Api
Package
- Name
- OpenTelemetry.Api
- View open source insights on deps.dev
- Purl
- pkg:nuget/OpenTelemetry.Api
NuGet / OpenTelemetry.Api
Package
- Name
- OpenTelemetry.Api
- View open source insights on deps.dev
- Purl
- pkg:nuget/OpenTelemetry.Api
NuGet / OpenTelemetry.Api
Package
- Name
- OpenTelemetry.Api
- View open source insights on deps.dev
- Purl
- pkg:nuget/OpenTelemetry.Api