CVE-2026-59892
Received Received - Intake

OpenTelemetry JavaScript JaegerPropagator URIError DoS

Vulnerability report for CVE-2026-59892, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx-* HTTP header values with decodeURIComponent() without handling decode errors, allowing an unauthenticated remote attacker to send a malformed percent-encoded value that throws an uncaught URIError and terminates a Node.js process using JaegerPropagator as the active propagator. This issue is fixed in version 2.9.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry propagator_jaeger to 2.9.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the OpenTelemetry JavaScript client, specifically in the @opentelemetry/propagator-jaeger package versions prior to 2.9.0. It occurs because the package decodes incoming HTTP headers named uber-trace-id and uberctx-* using decodeURIComponent() without handling errors that arise from malformed percent-encoded values.

An unauthenticated remote attacker can send a specially crafted malformed percent-encoded value in these headers, which causes decodeURIComponent() to throw an uncaught URIError. This error terminates the Node.js process that is using JaegerPropagator as the active propagator, leading to a denial-of-service condition.

The issue is fixed in version 2.9.0 by adding error handling around decodeURIComponent() calls to gracefully skip malformed entries instead of throwing exceptions.

Compliance Impact

The vulnerability in OpenTelemetry JavaScript's JaegerPropagator causes a denial-of-service (DoS) condition by terminating the Node.js process when malformed percent-encoded HTTP headers are received. This affects service availability but does not impact confidentiality or integrity of data.

Since the vulnerability does not compromise data confidentiality or integrity, it does not directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and security.

However, the disruption of service availability caused by this vulnerability could indirectly affect compliance with regulations that require maintaining service continuity and availability, depending on the specific regulatory environment and organizational policies.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by terminating the Node.js process running the application that uses JaegerPropagator as the active propagator.

An unauthenticated remote attacker can exploit this by sending a single malicious HTTP request with malformed percent-encoded values in the uber-trace-id or uberctx-* headers, causing the process to crash.

This disrupts service availability but does not affect confidentiality or integrity of data.

Users are affected only if they explicitly configure JaegerPropagator as the global propagator. If used with other propagators in a CompositePropagator, the process does not terminate but affected requests fail silently.

The recommended mitigation is to upgrade to version 2.9.0 or later, which handles malformed headers gracefully. Temporary mitigations include validating or stripping untrusted headers at the edge using reverse proxies or API gateways.

Detection Guidance

This vulnerability can be detected by monitoring for Node.js process crashes or terminations caused by uncaught URIError exceptions when processing HTTP headers related to Jaeger propagation, specifically the 'uber-trace-id' and 'uberctx-*' headers.

To detect attempts to exploit this vulnerability on your network, you can look for incoming HTTP requests containing malformed percent-encoded values in these headers.

  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP traffic and inspect headers for malformed percent-encoding patterns (e.g., bare '%' characters).
  • Example tcpdump command to capture HTTP headers containing 'uber-trace-id' or 'uberctx-' strings: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -iE 'uber-trace-id|uberctx-'
  • Monitor Node.js application logs for uncaught URIError exceptions or unexpected process terminations.
  • If using JaegerPropagator explicitly, add logging around the propagation extraction code to detect decoding failures.
Mitigation Strategies

The primary mitigation is to upgrade the @opentelemetry/propagator-jaeger package to version 2.9.0 or later, where the vulnerability is fixed by handling malformed percent-encoded headers gracefully.

If upgrading immediately is not possible, implement temporary mitigations by validating or stripping untrusted 'uber-trace-id' and 'uberctx-*' headers at the network edge using reverse proxies or API gateways to prevent malformed headers from reaching the Node.js process.

Additionally, monitor your Node.js processes for crashes and consider adding error handling around the propagation extraction code to prevent process termination.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart