GHSA-vc29-vg52-6643
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vc29-vg52-6643
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-vc29-vg52-6643/GHSA-vc29-vg52-6643.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vc29-vg52-6643
- Published
- 2025-03-06T22:33:43Z
- Modified
- 2025-03-06T22:45:14.304639Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- DoS Vulnerability in TraceContextPropagator.Extract - OpenTelemetry.Api
- Details
-
Impact
What kind of vulnerability is it? Who is impacted?
A vulnerability in
OpenTelemetry.Apipackage1.10.0to1.11.1could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. These versions are used in OpenTelemetry .NET Automatic Instrumentation1.10.0-beta.1and1.10.0.Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header. Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.
Patches
Has the problem been patched? What versions should users upgrade to?
This issue has been resolved in
OpenTelemetry.Api1.11.2by reverting the change that introduced the problematic behavior in versions1.10.0to1.11.1. OpenTelemetry .NET Automatic Instrumentation fixes it in1.11.0release.Fixed version
| OpenTelemetry .NET Automatic Instrumentation | Status | |----|----| | <= 1.9.0 | ✅ Not affected | | 1.10.0-beta.1, 1.10.0 | ❌ Vulnerable | | 1.11.0 (Fixed)| ✅ Safe to use|
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-770" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-03-06T22:33:43Z" }- References
-
- https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/security/advisories/GHSA-vc29-vg52-6643
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6
- https://nvd.nist.gov/vuln/detail/CVE-2025-27513
- https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation
Affected packages
NuGet / OpenTelemetry.AutoInstrumentation
Package
- Name
- OpenTelemetry.AutoInstrumentation
- View open source insights on deps.dev
- Purl
- pkg:nuget/OpenTelemetry.AutoInstrumentation