GHSA-g94r-2vxg-569j: OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
Summary
OpenTelemetry .NET packages have a vulnerability where parsing propagation headers (headers that track request flow across services) can allocate excessive memory, potentially causing a denial of service (DoS, where a system becomes unavailable due to resource exhaustion). The issue occurs in baggage, B3, and Jaeger processing code that allocates temporary storage before checking size limits.
Solution / Mitigation
Pull request #7061 refactors the handling of baggage, B3 and Jaeger propagation headers to stop parsing eagerly when limits are exceeded and avoid allocating intermediate arrays. Additionally, the source mentions workarounds: configure appropriate HTTP request header limits in your web server, or disable baggage and/or trace propagation if not needed.
Vulnerability Details
EPSS: 0.0%
Yes
April 23, 2026
Classification
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-g94r-2vxg-569j
First tracked: April 23, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 70%