CVE-2026-54285
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
22/06/2026
Last modified:
23/06/2026
Description
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. Parsing oversized baggage causes memory allocation proportional to the header size without any cap. This vulnerability is fixed in 2.8.0.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM



