GHSA-VC29-VG52-6643
Vulnerability from github – Published: 2025-03-06 22:33 – Updated: 2025-03-06 22:33Impact
What kind of vulnerability is it? Who is impacted?
A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. These versions are used in OpenTelemetry .NET Automatic Instrumentation 1.10.0-beta.1 and 1.10.0.
Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header. Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.
Patches
Has the problem been patched? What versions should users upgrade to?
This issue has been resolved in OpenTelemetry.Api 1.11.2 by reverting the change that introduced the problematic behavior in versions 1.10.0 to 1.11.1. OpenTelemetry .NET Automatic Instrumentation fixes it in 1.11.0 release.
Fixed version
| OpenTelemetry .NET Automatic Instrumentation | Status |
|---|---|
| <= 1.9.0 | ✅ Not affected |
| 1.10.0-beta.1, 1.10.0 | ❌ Vulnerable |
| 1.11.0 (Fixed) | ✅ Safe to use |
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "OpenTelemetry.AutoInstrumentation"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0-beta.1"
},
{
"fixed": "1.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-06T22:33:43Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a [Denial of Service (DoS) when a tracestate and traceparent header is received](https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6). These versions are used in OpenTelemetry .NET Automatic Instrumentation `1.10.0-beta.1` and `1.10.0`.\n\nEven if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.\nThis issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header.\nApplication may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThis issue has been resolved in `OpenTelemetry.Api` `1.11.2` by reverting the change that introduced the problematic behavior in versions `1.10.0` to `1.11.1`. OpenTelemetry .NET Automatic Instrumentation fixes it in `1.11.0` release.\n\n## Fixed version\n\n| OpenTelemetry .NET Automatic Instrumentation | Status |\n|----|----|\n| \u003c= 1.9.0 | \u2705 Not affected |\n| 1.10.0-beta.1, 1.10.0 | \u274c Vulnerable |\n| 1.11.0 (Fixed)| \u2705 Safe to use|\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_",
"id": "GHSA-vc29-vg52-6643",
"modified": "2025-03-06T22:33:43Z",
"published": "2025-03-06T22:33:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/security/advisories/GHSA-vc29-vg52-6643"
},
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27513"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "DoS Vulnerability in TraceContextPropagator.Extract - OpenTelemetry.Api"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.