CVE-2025-27513: OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package

March 5, 2025

What kind of vulnerability is it? Who is impacted?

A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received.

Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.
This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header.
Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.

References

github.com/advisories/GHSA-8785-wc3w-h8q6
github.com/open-telemetry/opentelemetry-dotnet
github.com/open-telemetry/opentelemetry-dotnet/pull/6161
github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6
nvd.nist.gov/vuln/detail/CVE-2025-27513

Code Behaviors & Features

Detect and mitigate CVE-2025-27513 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →