OpenTelemetry Otel baggage DoS via uncapped header length (CVE-2024-41178)

Vulnerability Overview Title: Baggage parsing no longer caps raw header length Description: Summary: The length constraint on baggage strings has been removed, allowing the function to process baggage headers of arbitrary size/invalid content and log errors. This leads to denial of service (DoS) via overloaded inputs. Details: Previous length checks for baggage strings and per-member parsing size limits have been removed. The function now iterates through the entire input, using to skip invalid members and continue processing the remainder. For very large or malformed baggage headers, the parser still fully tokenizes and decodes each member, forwarding errors to the global error handler (which logs by default). This allows remote clients to send overloaded/invalid baggage headers, triggering excessive CPU/memory usage and potentially large volumes of log output. This creates a denial-of-service risk in services that do not enforce size limits beforehand. Affected Versions Affected Versions: - <= v1.43.0 - <= v1.43.0 Fixed Versions: - v1.44.0 - v1.44.0 CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Confidentiality: None - Integrity: None - Availability: Low CVE ID: CVE-2024-41178 Remediation Fix: Upgrade and to version v1.44.0. POC Code Impact The issue can be exploited remotely via standard propagation parsing (in-scope), leading to CPU/log amplification. However, the impact is limited to availability and is constrained by transport header limits and configurable error handling, warranting a medium severity rating rather than high/critical. iterates over all list members, using to skip invalid members and continue processing without any raw length limit. performs full tokenization and for each member, and forwards parsing errors to the global error handler, which logs by default. Remote clients can send overloaded/invalid baggage headers, bypassing the 8KB header limit, resulting in additional CPU usage and significant log output. This causes availability degradation/log amplification in services that do not enforce limits beforehand. Assumptions The instrumented service uses the OpenTelemetry baggage propagator for inbound request parsing. The attacker can send overloaded or malformed baggage headers that pass through host server/proxy header size limits. The default error handler is used, or logging is configured for parsing errors. Inbound requests are parsed using . Overloaded/invalid baggage headers are accepted by the HTTP/gRPC stack. The error handler does not suppress parsing errors.

Goal Reached Thanks to every supporter — we hit 100%!

OpenTelemetry Otel baggage DoS via uncapped header length (CVE-2024-41178)

More from this source