CVE-2026-50271 in dd-trace-pyinformación

Resumen

por MITRE • 2026-07-17

Datadog dd-trace-py is the Datadog Python APM client. Prior to 4.8.2, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES limits on the extract path. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs or a single very large value, causing unbounded CPU and memory consumption and enabling a remote denial of service against HTTP services with baggage propagation enabled. This issue is fixed in version 4.8.2.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Responsable

GitHub M

Reservar

2026-06-04

Divulgación

2026-07-17

Moderación

aceptado

Artículo

VDB-379974

CPE

listo

EPSS

0.00000

KEV

no

Actividades

muy bajo

Fuentes

Interested in the pricing of exploits?

See the underground prices here!