CVE-2026-50272 in dd-trace-js
Summary
by MITRE • 07/17/2026
dd-trace is the Datadog APM client for Node.js. Prior to 5.100.0, W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/text_map.js parsed incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES on extraction. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs, or a single very large value, causing unbounded CPU and memory consumption and enabling a remote denial of service against any HTTP service with baggage propagation enabled. This issue is fixed in version 5.100.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability affects Datadog's APM client for Node.js known as dd-trace, specifically targeting versions prior to 5.100.0. This security flaw resides in the baggage propagation mechanism that handles distributed tracing metadata through HTTP headers. The issue manifests in two primary locations within the codebase: packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/text_map.js where incoming baggage HTTP headers are processed without proper validation of configuration limits. The vulnerability stems from insufficient input sanitization during header parsing operations that allow malicious actors to exploit the absence of enforcement for DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES environment variables.
The technical implementation flaw creates a path for resource exhaustion attacks through malformed baggage headers containing excessive key-value pairs or oversized values. When an attacker crafts HTTP requests with comma-separated baggage entries that exceed normal operational parameters, the parsing logic consumes unbounded CPU cycles and memory resources during header processing. This occurs because the system fails to validate the number of items or total byte size of baggage data before attempting to extract and process the information. The vulnerability represents a classic denial of service condition where legitimate service operations become disrupted through resource exhaustion rather than direct application compromise.
The operational impact of this vulnerability extends beyond simple service disruption to potentially affect entire infrastructure components that rely on distributed tracing for monitoring and debugging purposes. Any HTTP service configured with baggage propagation enabled becomes susceptible to this attack vector, making it particularly dangerous in production environments where tracing data flows continuously between microservices. The unauthenticated nature of the exploit means that attackers require no prior access credentials or privileges to initiate the resource exhaustion attack, significantly increasing the threat surface and attack surface exposure. Organizations running Node.js applications with Datadog APM tracing enabled must consider this vulnerability as a critical security concern affecting their distributed tracing capabilities.
Mitigation strategies should prioritize immediate deployment of dd-trace version 5.100.0 or later where the fix has been implemented to enforce proper baggage header validation. Security teams should also implement additional monitoring and rate limiting at network boundaries to detect unusual header patterns that may indicate exploitation attempts. Configuration management practices should ensure that DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES environment variables are properly set with conservative limits appropriate for the service's operational requirements. This vulnerability aligns with CWE-400 weakness category for excessive resource consumption and maps to ATT&CK technique T1499.004 for network denial of service attacks through resource exhaustion, highlighting the importance of input validation in distributed tracing systems.
The flaw demonstrates how seemingly benign tracing functionality can become a significant security risk when proper input validation is omitted from parsing operations. Organizations should conduct comprehensive security assessments of their distributed tracing implementations to identify similar vulnerabilities across different APM solutions and tracing protocols. Regular security updates and vulnerability scanning should include monitoring for improper header handling in all telemetry and observability components within the application stack. This case underscores the necessity of implementing defense-in-depth strategies that protect against both direct application attacks and indirect resource exhaustion vectors that leverage legitimate system functionality.
Reference to industry standards shows this vulnerability relates to CWE-400 for excessive resource consumption and CWE-770 for allocation of resources without limits, while mapping to ATT&CK T1499.004 for denial of service through resource exhaustion. The fix implemented in version 5.100.0 demonstrates proper input validation techniques that enforce maximum item counts and byte limits during baggage header processing, preventing the unbounded growth conditions that enabled the original attack vectors. Organizations should establish security configuration baselines that include explicit limits for all tracing and telemetry data processing components to prevent similar vulnerabilities from emerging in other parts of their distributed systems architecture.