CVE-2026-50271 in dd-trace-pyinfo

Summary

by MITRE • 07/17/2026

Datadog dd-trace-py is the Datadog Python APM client. Prior to 4.8.2, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES limits on the extract path. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs or a single very large value, causing unbounded CPU and memory consumption and enabling a remote denial of service against HTTP services with baggage propagation enabled. This issue is fixed in version 4.8.2.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/18/2026

The vulnerability in Datadog dd-trace-py affects versions prior to 4.8.2 and represents a critical denial of service weakness that stems from improper handling of W3C baggage propagation mechanisms within the Python APM client. This flaw specifically manifests when the tracing library processes incoming HTTP requests containing baggage headers, where the extract path fails to enforce configured limits on baggage item counts and total byte sizes. The vulnerability exploits the absence of validation controls that should normally restrict the number of comma-separated key-value pairs or the size of individual values within baggage headers, creating a scenario where an attacker can craft malicious requests designed to overwhelm system resources.

The technical implementation of this vulnerability involves the parsing of HTTP baggage headers without proper bounds checking during the extraction phase of trace context propagation. When the tracing library encounters a request with oversized baggage data, it processes each key-value pair individually while accumulating memory allocations for the parsed elements, leading to unbounded resource consumption patterns. This behavior directly violates security principles related to input validation and resource management, as the system fails to impose reasonable limits on the amount of data that can be processed during trace context extraction. The flaw specifically impacts systems where baggage propagation is enabled, making it particularly dangerous for distributed tracing environments that rely on W3C standards for trace context propagation.

From an operational perspective, this vulnerability creates significant risk for HTTP services that implement Datadog tracing with baggage propagation enabled, as a remote unauthenticated attacker can trigger denial of service conditions by sending carefully crafted requests. The attack vector requires no authentication and can be executed against any service using the vulnerable dd-trace-py library version, making it particularly dangerous in public-facing applications or microservices architectures where trace context propagation is commonly implemented. The resource consumption patterns include both CPU utilization spikes during header parsing operations and memory exhaustion from accumulating parsed baggage data, potentially leading to complete service unavailability or performance degradation that affects legitimate users.

The security implications of this vulnerability align with multiple CWE categories including CWE-770 for allocation of resources without limits or appropriate bounds checking, and CWE-400 for uncontrolled resource consumption. The attack pattern follows typical denial of service methodologies described in ATT&CK framework under T1499 for network denial of service and T1566 for phishing techniques that could be used to deliver malicious baggage headers. Organizations using Datadog tracing libraries should prioritize immediate patching to version 4.8.2 or later, where proper bounds checking has been implemented to enforce DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES limits during header extraction. Mitigation strategies include monitoring for unusual patterns in trace context processing, implementing additional request filtering mechanisms at reverse proxies, and ensuring that all tracing components are updated to versions containing the patched baggage parsing logic. The fix implemented in version 4.8.2 addresses the root cause by enforcing proper validation limits on baggage header content during the extract path, preventing attackers from exploiting the resource consumption vulnerability through malformed requests.

Responsible

GitHub M

Reservation

06/04/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!