GHSA-mh2q-q3fh-2475: OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
Summary
OpenTelemetry-Go has a denial-of-service vulnerability where the library parses multiple `baggage` HTTP headers (a standard for distributed tracing metadata) separately instead of treating them as one combined value. An attacker can send many baggage header lines to force the server to waste CPU and memory on repeated parsing work, even though each individual header stays within size limits, causing high latency and excessive allocations per request.
Solution / Mitigation
The source recommends: "avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total)." The fix is accepted when allocations and parsing operations stay within 2x of baseline and response latency (p95) stays below 2ms.
Vulnerability Details
EPSS: 0.0%
Yes
April 7, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-mh2q-q3fh-2475
First tracked: April 7, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%