{"data":{"id":"f32ed36a-bf2b-4968-80b5-b13dc4cd299b","title":"GHSA-rcgg-9c38-7xpx: OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation","summary":"OpenTelemetry Java's baggage propagation (the mechanism for passing request context data across services) didn't enforce size limits, causing unbounded memory allocation (unlimited memory usage) and CPU consumption when parsing oversized baggage headers. This problem can spread to downstream services that never received the original malicious request because baggage is automatically re-injected into every outgoing request.","solution":"Update to version 1.62.0 or later. The fix enforces limits consistent with the W3C Baggage specification: maximum total baggage size of 8,192 bytes and maximum 64 entries. Headers exceeding either limit are dropped at the point the limit is reached, while already-extracted valid entries are retained.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-rcgg-9c38-7xpx","publishedAt":"2026-05-14T16:36:04.000Z","cveId":"CVE-2026-45292","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["io.opentelemetry:opentelemetry-extension-trace-propagators@<= 1.61.0 (fixed: 1.62.0)","io.opentelemetry:opentelemetry-api@<= 1.61.0 (fixed: 1.62.0)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-14T16:36:04.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}