{"data":{"id":"314c81a2-8a44-4901-b12f-3eb4ea56e568","title":"GHSA-8988-4f7v-96qf: OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation","summary":"The W3CBaggagePropagator.extract() function in OpenTelemetry Core does not limit the size of incoming baggage HTTP headers, allowing unbounded memory allocation. While Node.js's default header size limit (16,384 bytes) provides some protection, systems without this limit or using non-HTTP transports (alternative communication methods like messaging systems) are at higher risk.","solution":"Update @opentelemetry/core to version 2.8.0 or later. The fix enforces the W3C Baggage specification limits at the propagator level: maximum total baggage size of 8,192 bytes, maximum 180 entries, and maximum per-entry size of 4,096 bytes. Headers exceeding these limits are truncated. Additionally, the source recommends configuring header size limits at the server or gateway level, and for non-HTTP transports receiving baggage from untrusted sources, validate input size before passing it to the propagator.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-8988-4f7v-96qf","publishedAt":"2026-06-15T20:38:30.000Z","cveId":"CVE-2026-54285","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["@opentelemetry/core@< 2.8.0 (fixed: 2.8.0)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-15T20:38:30.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.65,"researchCategory":null,"atlasIds":null}}