ghsa-8785-wc3w-h8q6
Vulnerability from github
Published
2025-03-05 18:15
Modified
2025-03-05 21:54
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Summary
OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package
Details

Impact

What kind of vulnerability is it? Who is impacted?

A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received.

  • Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.
  • This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header.
  • Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.

Patches

Has the problem been patched? What versions should users upgrade to?

This issue has been resolved in OpenTelemetry.Api 1.11.2 by reverting the change that introduced the problematic behavior in versions 1.10.0 to 1.11.1.

  • The fix ensures that valid tracing headers no longer cause excessive CPU consumption when received in requests.

    • Fixed Version:

    OpenTelemetry .NET Version | Status -- | -- <= 1.9.x | ✅ Not affected 1.10.0 - 1.11.1 | ❌ Vulnerable 1.11.2 (Fixed) | ✅ Safe to use

    Upgrade Command:

    dotnet add package OpenTelemetry --version 1.11.2

    Delisting of Affected Packages To prevent accidental usage, we have delisted the affected versions (1.10.0 to 1.11.1) from NuGet. Users should avoid these versions and upgrade to 1.11.2 immediately.

    Workarounds

    Is there a way for users to fix or remediate the vulnerability without upgrading?

    References

    Are there any links users can visit to find out more?

    Show details on source website

    To clipboard 

    {
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Api"
      },
      "versions": [
        "1.10.0"
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Api"
      },
      "versions": [
        "1.10.0-beta.1"
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Api"
      },
      "versions": [
        "1.10.0-rc.1"
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Api"
      },
      "versions": [
        "1.11.0-rc.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-05T18:15:22Z",
    "nvd_published_at": "2025-03-05T19:15:39Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a Denial of Service (DoS) when a `tracestate` and `traceparent` header is received.\n\n* Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.\n* This issue impacts any application accessible over the web or backend services that process HTTP requests containing a `tracestate` header.\n* Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThis issue has been \u003cstrong data-start=\"1143\" data-end=\"1184\"\u003eresolved in OpenTelemetry.Api 1.11.2\u003c/strong\u003e by \u003cstrong data-start=\"1188\" data-end=\"1212\"\u003ereverting the change\u003c/strong\u003e that introduced the problematic behavior in versions \u003cstrong data-start=\"1266\" data-end=\"1286\"\u003e1.10.0 to 1.11.1\u003c/strong\u003e.\u003c/li\u003e\u003cli data-start=\"1290\" data-end=\"1409\"\u003eThe fix ensures that \u003cstrong data-start=\"1313\" data-end=\"1380\"\u003evalid tracing headers no longer cause excessive CPU consumption\u003c/strong\u003e when received in requests.\u003c/li\u003e\u003c/ul\u003e\u003ch4 data-start=\"1411\" data-end=\"1434\"\u003e\u003cstrong data-start=\"1416\" data-end=\"1434\"\u003eFixed Version:\u003c/strong\u003e\u003c/h4\u003e\nOpenTelemetry .NET Version | Status\n-- | --\n\u003c= 1.9.x | \u2705 Not affected\n1.10.0 - 1.11.1 | \u274c Vulnerable\n1.11.2 (Fixed) | \u2705 Safe to use\n\n**Upgrade Command:**\n\n```\ndotnet add package OpenTelemetry --version 1.11.2\n```\n\n**Delisting of Affected Packages**\nTo prevent accidental usage, we have delisted the affected versions (1.10.0 to 1.11.1) from NuGet. Users should avoid these versions and upgrade to 1.11.2 immediately.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_",
  "id": "GHSA-8785-wc3w-h8q6",
  "modified": "2025-03-05T21:54:14Z",
  "published": "2025-03-05T18:15:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27513"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet/commit/1b555c1201413f2f55f2cd3c4ba03ef4b615b6b5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package"
}


    Log in or create an account to share your comment.




    Tags
    Taxonomy of the tags.




    Sightings

    Author Source Type Date

    Nomenclature

    • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
    • Confirmed: The vulnerability is confirmed from an analyst perspective.
    • Published Proof of Concept: A public proof of concept is available for this vulnerability.
    • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
    • Patched: This vulnerability was successfully patched by the user reporting the sighting.
    • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
    • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
    • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.