CVE-2026-54285
Received Received - Intake
W3C Baggage Header Parsing Memory Exhaustion in OpenTelemetry JavaScript

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. Parsing oversized baggage causes memory allocation proportional to the header size without any cap. This vulnerability is fixed in 2.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54285
EUVD
EUVD-2026-38321
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
open_telemetry core to 2.8.0 (exc)
open_telemetry opentelemetry-js to 2.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2026-54285 affects the @opentelemetry/core package, specifically the W3CBaggagePropagator.extract() function. This function is responsible for parsing inbound baggage HTTP headers but does not enforce size limits during this process.

While the W3C Baggage specification recommends limits of 8,192 bytes total and 180 entries, these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. As a result, parsing oversized baggage headers can cause unbounded memory allocation proportional to the header size, potentially leading to resource exhaustion.

This issue was fixed in version 2.8.0 of @opentelemetry/core by enforcing the size limits during extraction.

Impact Analysis

This vulnerability can lead to unbounded memory allocation when parsing oversized inbound baggage HTTP headers, which may cause resource exhaustion on the affected system.

In most Node.js deployments, the impact is limited due to the default HTTP header size limit of 16,384 bytes. However, in environments without such transport-layer limitsβ€”such as non-HTTP transports or systems with increased header size limitsβ€”the risk of resource exhaustion is higher.

Resource exhaustion can degrade system performance, cause crashes, or lead to denial of service.

Detection Guidance

This vulnerability involves unbounded memory allocation when parsing inbound baggage HTTP headers in the @opentelemetry/core package prior to version 2.8.0. Detection can focus on identifying oversized W3C Baggage headers exceeding recommended limits (8,192 bytes total, 180 entries, 4,096 bytes per entry).

Since the issue relates to HTTP headers, monitoring HTTP traffic for unusually large or numerous baggage headers can help detect exploitation attempts.

Suggested commands include using network traffic inspection tools such as:

  • tcpdump or tshark to capture HTTP headers and filter for large baggage headers.
  • Example tshark command to filter HTTP headers containing baggage: tshark -Y 'http.header contains "baggage"' -T fields -e http.header
  • Using curl or similar tools to manually inspect HTTP headers for baggage size.

Additionally, checking the version of @opentelemetry/core in your environment can help detect vulnerable deployments.

Mitigation Strategies

The primary mitigation step is to update the @opentelemetry/core package to version 2.8.0 or later, where the vulnerability is fixed by enforcing size limits on inbound baggage headers.

If immediate updating is not possible, additional mitigations include:

  • Configure server or gateway HTTP header size limits to restrict oversized baggage headers.
  • Validate input sizes for non-HTTP transports before passing baggage data to the propagator.

These steps help prevent resource exhaustion caused by unbounded memory allocation during baggage header parsing.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-54285 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54285. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart