CVE-2026-48504: opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation

June 25, 2026

BaggagePropagator::extract_with_context in opentelemetry_sdk did not enforce the W3C Baggage size limits before parsing an inbound baggage header. A large attacker-controlled header could cause unnecessary CPU work and short-lived heap allocations while parsing entries that would later be discarded by the SDK’s baggage storage limits.

The SDK now applies limits aligned with the W3C Baggage limits:

64 list-members
8192 bytes total

References

github.com/advisories/GHSA-w9wp-h8wv-79jx
github.com/open-telemetry/opentelemetry-rust/security/advisories/GHSA-w9wp-h8wv-79jx
nvd.nist.gov/vuln/detail/CVE-2026-48504

Code Behaviors & Features

Detect and mitigate CVE-2026-48504 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →