CVE-2026-50272: dd-trace Unbounded W3C Baggage Extraction DoS
Datadog's Node.js tracing library parsed incoming W3C baggage HTTP headers with no size or item-count limits, letting any unauthenticated attacker crash or stall an instrumented service by sending an
The problem
The dd-trace-js library enforced item-count and byte-size limits (DD_TRACE_BAGGAGE_MAX_ITEMS, default 64; DD_TRACE_BAGGAGE_MAX_BYTES, default 8192) only when injecting baggage into outbound requests. The extraction path, which runs on every inbound HTTP request, had no such caps.
A remote, unauthenticated attacker can send a single request whose baggage header contains thousands of comma-separated key-value pairs, or one very large value. The tracer allocates a hash-map entry for every pair on every request, leading to unbounded CPU and memory consumption.
Because baggage propagation is enabled by default since v5.88.0, any internet-facing service instrumented with an affected version is exposed without any additional configuration.
Proof of concept
A working proof-of-concept for CVE-2026-50272 in dd-trace, with the exact payload below.
GET /api/health HTTP/1.1
Host: target.example.com
baggage: k1=v,k2=v,k3=v,k4=v,k5=v,k6=v,k7=v,k8=v,k9=v,k10=v,k11=v,k12=v,k13=v,k14=v,k15=v,k16=v,k17=v,k18=v,k19=v,k20=v,k21=v,k22=v,k23=v,k24=v,k25=v,k26=v,k27=v,k28=v,k29=v,k30=v,k31=v,k32=v,k33=v,k34=v,k35=v,k36=v,k37=v,k38=v,k39=v,k40=v,k41=v,k42=v,k43=v,k44=v,k45=v,k46=v,k47=v,k48=v,k49=v,k50=v,k51=v,k52=v,k53=v,k54=v,k55=v,k56=v,k57=v,k58=v,k59=v,k60=v,k61=v,k62=v,k63=v,k64=v,k65=v,k66=v,...(thousands more)Before the fix, the baggage extractor in packages/dd-trace/src/opentracing/propagation/text_map.js iterated over every comma-separated pair in the incoming header and inserted each into a map with no bounds check. The limits DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES existed only in the inject code path.
PR #8255 (commit 00a239a1e2, by Ruben Bridgewater) added the same item-count and byte-size guards to the extract path: parsing now stops as soon as the running byte total exceeds baggageMaxBytes or the item count exceeds baggageMaxItems, matching the behavior already present for injection.
The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption).
The fix
Upgrade dd-trace to version 5.100.0 or later. If an immediate upgrade is not possible, either remove baggage from DD_TRACE_PROPAGATION_STYLE (or DD_TRACE_PROPAGATION_STYLE_EXTRACT) to disable baggage extraction entirely, or enforce a cap on the maximum HTTP request header size at an upstream proxy (for example, Nginx large_client_header_buffers, Apache LimitRequestFieldSize, or Envoy max_request_headers_kb).
Reported by Ruben Bridgewater.
Related research
- high · 7.5CVE-2026-49866CVE-2026-49866: @libp2p/gossipsub CPU DoS via Oversized IHAVE and IWANT Control Messages
- high · 7.5CVE-2026-49293CVE-2026-49293: js-toml CPU Exhaustion via Quadratic BigInt Parsing
- high · 7.5CVE-2026-50276CVE-2026-50276: datadog (dd-trace-rb) W3C Baggage Header Denial of Service
- high · 8.8CVE-2026-54504CVE-2026-54504: @andrea9293/mcp-documentation-server Unauthenticated Network API Exposure