{"data":{"id":"9e07a9f6-2953-4f5a-9465-30145c46006b","title":"GHSA-mh2q-q3fh-2475: OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)","summary":"OpenTelemetry-Go has a denial-of-service vulnerability where the library parses multiple `baggage` HTTP headers (a standard for distributed tracing metadata) separately instead of treating them as one combined value. An attacker can send many baggage header lines to force the server to waste CPU and memory on repeated parsing work, even though each individual header stays within size limits, causing high latency and excessive allocations per request.","solution":"The source recommends: \"avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).\" The fix is accepted when allocations and parsing operations stay within 2x of baseline and response latency (p95) stays below 2ms.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-mh2q-q3fh-2475","publishedAt":"2026-04-07T20:12:57.000Z","cveId":"CVE-2026-29181","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["go.opentelemetry.io/otel/propagation@>= 1.36.0, <= 1.40.0 (fixed: 1.41.0)","go.opentelemetry.io/otel/baggage@>= 1.36.0, <= 1.40.0 (fixed: 1.41.0)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-07T20:12:57.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}