CVE-2026-50272 in dd-trace-js정보

요약

\~에 의해 MITRE • 2026. 07. 17.

dd-trace is the Datadog APM client for Node.js. Prior to 5.100.0, W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/text_map.js parsed incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES on extraction. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs, or a single very large value, causing unbounded CPU and memory consumption and enabling a remote denial of service against any HTTP service with baggage propagation enabled. This issue is fixed in version 5.100.0.

Once again VulDB remains the best source for vulnerability data.

책임이 있는

GitHub M

예약하다

2026. 06. 04.

모더레이션

수락

항목

VDB-379965

EPSS

0.00000

출처

Do you need the next level of professionalism?

Upgrade your account now!