GHSA-VC29-VG52-6643

Vulnerability from github – Published: 2025-03-06 22:33 – Updated: 2025-03-06 22:33
VLAI
Summary
DoS Vulnerability in TraceContextPropagator.Extract - OpenTelemetry.Api
Details

Impact

What kind of vulnerability is it? Who is impacted?

A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. These versions are used in OpenTelemetry .NET Automatic Instrumentation 1.10.0-beta.1 and 1.10.0.

Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header. Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.

Patches

Has the problem been patched? What versions should users upgrade to?

This issue has been resolved in OpenTelemetry.Api 1.11.2 by reverting the change that introduced the problematic behavior in versions 1.10.0 to 1.11.1. OpenTelemetry .NET Automatic Instrumentation fixes it in 1.11.0 release.

Fixed version

OpenTelemetry .NET Automatic Instrumentation Status
<= 1.9.0 ✅ Not affected
1.10.0-beta.1, 1.10.0 ❌ Vulnerable
1.11.0 (Fixed) ✅ Safe to use

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.AutoInstrumentation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0-beta.1"
            },
            {
              "fixed": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-06T22:33:43Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a [Denial of Service (DoS) when a tracestate and traceparent header is received](https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6). These versions are used in OpenTelemetry .NET Automatic Instrumentation `1.10.0-beta.1` and `1.10.0`.\n\nEven if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.\nThis issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header.\nApplication may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThis issue has been resolved in `OpenTelemetry.Api` `1.11.2` by reverting the change that introduced the problematic behavior in versions `1.10.0` to `1.11.1`. OpenTelemetry .NET Automatic Instrumentation fixes it in `1.11.0` release.\n\n## Fixed version\n\n| OpenTelemetry .NET Automatic Instrumentation | Status |\n|----|----|\n| \u003c= 1.9.0 | \u2705 Not affected |\n| 1.10.0-beta.1, 1.10.0 | \u274c Vulnerable |\n| 1.11.0 (Fixed)| \u2705 Safe to use|\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_",
  "id": "GHSA-vc29-vg52-6643",
  "modified": "2025-03-06T22:33:43Z",
  "published": "2025-03-06T22:33:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/security/advisories/GHSA-vc29-vg52-6643"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27513"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DoS Vulnerability in TraceContextPropagator.Extract - OpenTelemetry.Api"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…