CVE-2025-27513
Denial of Service vulnerability in OpenTelemetry.Api (NuGet)
What is CVE-2025-27513 About?
A Denial of Service (DoS) vulnerability exists in the OpenTelemetry.Api package versions 1.10.0 to 1.11.1 when processing specific `tracestate` and `traceparent` headers. This can lead to high CPU usage, degrading application performance or causing downtime. Exploitation can occur remotely without authentication by sending crafted HTTP requests.
Affected Software
Technical Details
The vulnerability manifests when the OpenTelemetry.Api package, in versions 1.10.0 through 1.11.1, receives HTTP requests containing tracestate and traceparent headers. Even if the application does not explicitly utilize trace context propagation, the internal processing of these headers triggers an excessive CPU consumption. This indicates a processing inefficiency or a resource exhaustion bug within the library's handling of specific tracing header configurations, which a remote attacker can trigger by sending specially crafted HTTP requests.
What is the Impact of CVE-2025-27513?
Successful exploitation may allow attackers to cause excessive resource consumption, leading to increased latency, degraded performance, or complete denial of service for the affected application.
What is the Exploitability of CVE-2025-27513?
Exploitation is of low to moderate complexity, requiring an attacker to send HTTP requests containing crafted tracestate and traceparent headers to an affected application. No authentication is required, making it a remote attack vector. The vulnerability can affect any web-accessible application or backend service that processes HTTP requests. The primary risk factor is the public exposure of such services, as a simple request can trigger resource exhaustion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-27513?
About the Fix from Resolved Security
This patch reverts a previous performance optimization in TraceContextPropagator.Extract and restores stricter handling when parsing tracestate values, especially regarding duplicate keys. By switching from buffer-based optimizations to a HashSet that checks for and rejects duplicate keys, it mitigates the vulnerability described in CVE-2025-27513, which allowed crafted tracestate headers with duplicated keys to bypass proper validation.
Available Upgrade Options
- OpenTelemetry.Api
- >1.11.0, <1.11.2 → Upgrade to 1.11.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-8785-wc3w-h8q6
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6
- https://nvd.nist.gov/vuln/detail/CVE-2025-27513
- https://github.com/open-telemetry/opentelemetry-dotnet/commit/1b555c1201413f2f55f2cd3c4ba03ef4b615b6b5
- https://github.com/open-telemetry/opentelemetry-dotnet/commit/1b555c1201413f2f55f2cd3c4ba03ef4b615b6b5
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/6161
- https://github.com/open-telemetry/opentelemetry-dotnet
What are Similar Vulnerabilities to CVE-2025-27513?
Similar Vulnerabilities: CVE-2024-30105 , CVE-2024-38095 , CVE-2022-26134 , CVE-2023-28491 , CVE-2021-44228
