CVE-2026-50272
Received Received - Intake

Denial of Service in dd-trace Node.js APM Client

Vulnerability report for CVE-2026-50272, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

dd-trace is the Datadog APM client for Node.js. Prior to 5.100.0, W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/text_map.js parsed incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES on extraction. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs, or a single very large value, causing unbounded CPU and memory consumption and enabling a remote denial of service against any HTTP service with baggage propagation enabled. This issue is fixed in version 5.100.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
datadog dd-trace 5.100.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in dd-trace, a Datadog APM client for Node.js. It allows a remote attacker to send a specially crafted HTTP request with an excessively large baggage header containing many key-value pairs or a single very large value. This causes unbounded CPU and memory consumption during header parsing, leading to a denial of service.

Detection Guidance

Check if your dd-trace version is below 5.100.0 by running: npm list dd-trace. Monitor for high CPU or memory usage during HTTP requests with large baggage headers. Use network traffic analysis tools to detect unusually large HTTP headers.

Impact Analysis

If you use dd-trace versions before 5.100.0 with baggage propagation enabled, an attacker could send malicious requests that consume excessive server resources, causing your application to slow down or crash. This disrupts service availability for legitimate users.

Compliance Impact

This vulnerability could indirectly impact compliance with GDPR and HIPAA by enabling denial of service attacks that disrupt services handling personal or health data. Unbounded CPU and memory consumption may lead to service unavailability, potentially violating availability requirements under these regulations.

Mitigation Strategies

Upgrade dd-trace to version 5.100.0 or later immediately. If upgrading is not possible, disable baggage propagation by setting DD_TRACE_BAGGAGE_ENABLED=false in your environment. Restrict network access to services using dd-trace to trusted sources only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50272. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart