Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-29181

OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
Back to all
CVE

CVE-2026-29181

OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links

  • repository: https://github.com/open-telemetry/opentelemetry-go
  • pinned callsite: https://github.com/open-telemetry/opentelemetry-go/blob/1ee4a4126dbdd1bc79e9fae072fa488beffac52a/propagation/baggage.go#L58

vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a4126dbdd1bc79e9fae072fa488beffac52a

as-of: 2026-02-04

policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage)

attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

  • canonical: perreqalloc_bytes=10315458 and p95_ms=7
  • control: perreqalloc_bytes=133429 and p95_ms=0

proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget.

actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for perreqalloc_bytes and perreqallocs, and p95_ms stays below 2ms.

poc.zip

PR_DESCRIPTION.md

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Related Resources

No items found.

References

https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475, https://nvd.nist.gov/vuln/detail/CVE-2026-29181, https://github.com/open-telemetry/opentelemetry-go/pull/7880, https://github.com/open-telemetry/opentelemetry-go/commit/aa1894e09e3fe66860c7885cb40f98901b35277f, https://github.com/open-telemetry/opentelemetry-go, https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.41.0

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00077%
EPSS Percentile
0.23156%
Introduced Version
1.36.0,v1.36.0,v0.0.0-20250515071435-f410084b21a4,0
Fix Available
1.41.0,v1.41.0,v0.0.0-20260228191517-aa1894e09e3f,0.4.12-r49,20260318-r3,1.9.0-r6,1.1.1-r9,2025.12.4-r6,2026.2.1-r6,1.23.11-r72,1.24.11-r19,0.56.2-r7,0.11.0-r9,0.9.0-r3,1.35.0-r6,1.34.8-r2,1.8.12-r17,1.1.0-r4,1.15.2-r11,1.22.7-r1,1.7.13-r5,1.36.0-r0,2.5.0-r1,2.5.0-r7,2.5.0-r5,2.5.0-r9,2.5.0-r4,2.5.0-r2,7.76.3-r12,7.77.3-r4,7.76.3-r10,2.16.0-r11,29.5.2-r0,1.31.43-r1,1.32.36-r1,1.33.26-r1,1.34.17-r1,1.35.8-r1,0.0.0_git20260419-r1,3.5.29-r2,2.3.0-r3,0.44.0-r0,2.7.5-r16,1.5.4-r1,18.10.5-r1,18.11.2-r1,18.9.6-r1,18.9.6-r2,2.11.1-r1,18.10.5-r2,18.11.2-r2,18.10.4-r2,0_git20260413-r1,1.13.6-r13,1.27.9-r2,1.27.9-r5,1.2.5-r11,5.8.3-r32,1.21.4-r3,0.18.0-r1,4.13.2-r2,2.18.0-r5,1.7-r26,0.4.12-r7,1.9.2-r12,0.16.0-r2,2.2.2-r3,1.20.1-r6,1.9.4-r14,3.10.0-r7,0.18.0-r22,1.33.10.2.3-r2,2.7.1-r16,0.30.2-r6,0.68.1-r20,0.68.1-r22,18.7.6-r0,2.9.1-r8,2.8.3-r5,2.9.1-r7,1.5.7-r47,1.13.5-r13,0_git20251229-r7,0_git20251229-r9,2.11.44-r0,0.69.3-r11,1.22.1-r11,1.6.0-r5,1.8.0-r9

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading