{"data":{"id":"02fd0bce-aba1-4b12-be02-af752ee73634","title":"GHSA-w9wp-h8wv-79jx: opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation","summary":"The opentelemetry_sdk library had a vulnerability where it didn't check size limits before processing baggage headers (metadata passed between services in distributed tracing, which is used in observability and monitoring). An attacker could send extremely large headers that would waste CPU and memory while being parsed, even though they'd eventually be rejected, potentially causing a denial-of-service attack (making a service unavailable by overwhelming it with resource requests).","solution":"Upgrade opentelemetry_sdk to version 0.32.1 or later. Alternatively, if immediate upgrade is not possible, reject or limit inbound baggage headers larger than 8192 bytes before OpenTelemetry processes them. This can be enforced at a proxy, gateway, middleware layer, or custom carrier boundary.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-w9wp-h8wv-79jx","publishedAt":"2026-06-25T18:40:04.000Z","cveId":"CVE-2026-48504","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["opentelemetry_sdk@<= 0.32.0 (fixed: 0.32.1)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-25T18:40:04.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}