CVE-2026-54285
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
In versions prior to 2.8.0 of the opentelemetry-js library, the W3CBaggagePropagator.extract() method in @opentelemetry/core does not enforce size limits when parsing HTTP headers. The W3C Baggage specification recommends a maximum size of 8,192 bytes and 180 entries, which was not enforced for incoming headers.
Risk Assessment
The lack of size limits when parsing headers can lead to excessive memory allocation, threatening application stability and potentially leading to Denial of Service attacks.
Recommendation
It is recommended to update the opentelemetry-js library to version 2.8.0 or later to enforce appropriate header size limits.
Original NVD description (English source)
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. Parsing oversized baggage causes memory allocation proportional to the header size without any cap. This vulnerability is fixed in 2.8.0.

