GHSA-w9wp-h8wv-79jx: opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation
Summary
The opentelemetry_sdk library had a vulnerability where it didn't check size limits before processing baggage headers (metadata passed between services in distributed tracing, which is used in observability and monitoring). An attacker could send extremely large headers that would waste CPU and memory while being parsed, even though they'd eventually be rejected, potentially causing a denial-of-service attack (making a service unavailable by overwhelming it with resource requests).
Solution / Mitigation
Upgrade opentelemetry_sdk to version 0.32.1 or later. Alternatively, if immediate upgrade is not possible, reject or limit inbound baggage headers larger than 8192 bytes before OpenTelemetry processes them. This can be enforced at a proxy, gateway, middleware layer, or custom carrier boundary.
Vulnerability Details
EPSS: 0.0%
Yes
June 25, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-w9wp-h8wv-79jx
First tracked: June 25, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%