GHSA-mh2q-q3fh-2475
Denial of Service vulnerability in otel (Go)
What is GHSA-mh2q-q3fh-2475 About?
A flaw in the `opentelemetry-go` library's `baggage:` header extraction allows an attacker to amplify CPU and memory allocations. By sending many `baggage:` header lines, an unauthenticated attacker can cause significant resource consumption, leading to increased latency and potential denial of service. This vulnerability is easy to exploit.
Affected Software
Technical Details
The extractMultiBaggage function in opentelemetry-go processes multiple baggage: header field-values by iterating over each independently and parsing them, then aggregating members into a shared slice. While individual values are capped at 8192 bytes, the parsing work is repeated for each header line. An attacker can send a single HTTP request containing numerous baggage: header lines. This causes the server to redundantly parse and process these headers, leading to a significant increase in per-request memory allocations and CPU usage. This amplification of resource consumption can make the server unresponsive or crash it, resulting in a denial of service.
What is the Impact of GHSA-mh2q-q3fh-2475?
Successful exploitation may allow attackers to cause significant CPU and memory allocation amplification, leading to high latency and potential denial of service.
What is the Exploitability of GHSA-mh2q-q3fh-2475?
Exploitation is of low complexity and requires no authentication or specific privileges. It involves sending a crafted HTTP request with multiple baggage: header lines. This is a remote attack that can be performed by any client making a request to an affected service. The primary condition is that the application uses the vulnerable opentelemetry-go library and processes inbound HTTP requests. The absence of a global budget or normalization for multi-value headers, combined with individual value parsing, significantly increases the likelihood of exploitation and resource exhaustion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-mh2q-q3fh-2475?
Available Upgrade Options
- go.opentelemetry.io/otel
- >=1.36.0, <1.41.0 → Upgrade to 1.41.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-mh2q-q3fh-2475
- https://github.com/open-telemetry/opentelemetry-go/commit/aa1894e09e3fe66860c7885cb40f98901b35277f
- https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475
- https://nvd.nist.gov/vuln/detail/CVE-2026-29181
- https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475
- https://github.com/open-telemetry/opentelemetry-go
- https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.41.0
- https://github.com/open-telemetry/opentelemetry-go/pull/7880
What are Similar Vulnerabilities to GHSA-mh2q-q3fh-2475?
Similar Vulnerabilities: CVE-2022-29003 , CVE-2021-44228 , CVE-2021-42340 , CVE-2020-13936 , CVE-2019-15598
