GHSA-rcgg-9c38-7xpx: OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation
Summary
OpenTelemetry Java's baggage propagation (the mechanism for passing request context data across services) didn't enforce size limits, causing unbounded memory allocation (unlimited memory usage) and CPU consumption when parsing oversized baggage headers. This problem can spread to downstream services that never received the original malicious request because baggage is automatically re-injected into every outgoing request.
Solution / Mitigation
Update to version 1.62.0 or later. The fix enforces limits consistent with the W3C Baggage specification: maximum total baggage size of 8,192 bytes and maximum 64 entries. Headers exceeding either limit are dropped at the point the limit is reached, while already-extracted valid entries are retained.
Vulnerability Details
EPSS: 0.0%
Yes
May 14, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-rcgg-9c38-7xpx
First tracked: May 14, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%