CVE-2026-50273 in dd-trace-dotnetinfo

Summary

by MITRE • 07/17/2026

Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES on extraction, allowing a remote unauthenticated attacker to send a baggage header with many comma-separated key-value pairs or one very large value and cause unbounded CPU and memory consumption in services with baggage propagation enabled. This issue is fixed in version 3.43.0.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/17/2026

The Datadog .NET Tracer represents a critical vulnerability in the distributed tracing ecosystem that affects applications leveraging W3C baggage propagation mechanisms. This flaw exists within the client library responsible for instrumenting .NET applications for Datadog APM services, where the tracer processes incoming HTTP headers containing baggage data. The vulnerability stems from insufficient validation during the extraction phase of baggage header processing, allowing attackers to exploit the absence of configured limits on both the number of key-value pairs and total byte size of baggage data.

The technical implementation flaw manifests when the tracing library parses HTTP headers without enforcing the established environmental constraints DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES. These parameters are designed to prevent resource exhaustion by limiting the maximum number of baggage items and total bytes that can be processed during header parsing operations. When these protections are bypassed, malicious actors can craft specially crafted HTTP requests containing excessive baggage data that causes unbounded consumption of CPU cycles and memory resources within the affected services.

The operational impact of this vulnerability extends beyond simple resource exhaustion to potentially enable denial-of-service attacks against critical infrastructure components. Services configured with baggage propagation enabled become vulnerable to attacks where remote unauthenticated adversaries can submit headers containing thousands of comma-separated key-value pairs or a single extremely large value, causing significant performance degradation and potential service disruption. The vulnerability affects any .NET application instrumented with Datadog tracing libraries running versions prior to 3.43.0, making it particularly concerning for organizations relying on distributed tracing for monitoring and observability.

This issue aligns with CWE-400 vulnerability classification related to resource exhaustion and represents a specific instance of improper input validation in distributed tracing contexts. From an ATT&CK framework perspective, this vulnerability maps to techniques involving resource exhaustion and service disruption through manipulation of application inputs. The attack vector leverages HTTP header manipulation as a means to exploit the lack of input sanitization during baggage propagation processes, making it particularly dangerous in environments where tracing data flows between multiple microservices and applications.

The remediation strategy involves upgrading to Datadog .NET Tracer version 3.43.0 or later, which implements proper enforcement of the existing DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES configuration parameters. Organizations should also verify that their tracing configurations properly enforce these limits and consider implementing additional monitoring for unusual baggage header patterns. Security teams should review their application instrumentation to ensure that all components handling W3C baggage data implement appropriate input validation and resource limiting measures, preventing similar vulnerabilities from emerging in other distributed tracing implementations or custom baggage processing logic.

Responsible

GitHub M

Reservation

06/04/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!