CVE-2026-29181: OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.
References
- github.com/advisories/GHSA-mh2q-q3fh-2475
- github.com/open-telemetry/opentelemetry-go
- github.com/open-telemetry/opentelemetry-go/commit/aa1894e09e3fe66860c7885cb40f98901b35277f
- github.com/open-telemetry/opentelemetry-go/pull/7880
- github.com/open-telemetry/opentelemetry-go/releases/tag/v1.41.0
- github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475
- nvd.nist.gov/vuln/detail/CVE-2026-29181
Code Behaviors & Features
Detect and mitigate CVE-2026-29181 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →