GHSA-8988-4f7v-96qf: OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
Summary
The W3CBaggagePropagator.extract() function in OpenTelemetry Core does not limit the size of incoming baggage HTTP headers, allowing unbounded memory allocation. While Node.js's default header size limit (16,384 bytes) provides some protection, systems without this limit or using non-HTTP transports (alternative communication methods like messaging systems) are at higher risk.
Solution / Mitigation
Update @opentelemetry/core to version 2.8.0 or later. The fix enforces the W3C Baggage specification limits at the propagator level: maximum total baggage size of 8,192 bytes, maximum 180 entries, and maximum per-entry size of 4,096 bytes. Headers exceeding these limits are truncated. Additionally, the source recommends configuring header size limits at the server or gateway level, and for non-HTTP transports receiving baggage from untrusted sources, validate input size before passing it to the propagator.
Vulnerability Details
EPSS: 0.0%
Yes
June 15, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-8988-4f7v-96qf
First tracked: June 15, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 65%