CVE-2026-50273
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
17/07/2026
Last modified:
17/07/2026
Description
Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES on extraction, allowing a remote unauthenticated attacker to send a baggage header with many comma-separated key-value pairs or one very large value and cause unbounded CPU and memory consumption in services with baggage propagation enabled. This issue is fixed in version 3.43.0.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH



