high · 7.5CVE-2026-50272Jul 15, 2026

CVE-2026-50272: dd-trace Unbounded W3C Baggage Extraction DoS

Rohit Hatagale
AI Security Researcher, SecureLayer7

Datadog's Node.js tracing library parsed incoming W3C baggage HTTP headers with no size or item-count limits, letting any unauthenticated attacker crash or stall an instrumented service by sending an

Packagedd-trace
Ecosystemnpm
Affected< 5.100.0
Fixed in5.100.0

The problem

The dd-trace-js library enforced item-count and byte-size limits (DD_TRACE_BAGGAGE_MAX_ITEMS, default 64; DD_TRACE_BAGGAGE_MAX_BYTES, default 8192) only when injecting baggage into outbound requests. The extraction path, which runs on every inbound HTTP request, had no such caps.

A remote, unauthenticated attacker can send a single request whose baggage header contains thousands of comma-separated key-value pairs, or one very large value. The tracer allocates a hash-map entry for every pair on every request, leading to unbounded CPU and memory consumption.

Because baggage propagation is enabled by default since v5.88.0, any internet-facing service instrumented with an affected version is exposed without any additional configuration.

Proof of concept

A working proof-of-concept for CVE-2026-50272 in dd-trace, with the exact payload below.

http
GET /api/health HTTP/1.1
Host: target.example.com
baggage: k1=v,k2=v,k3=v,k4=v,k5=v,k6=v,k7=v,k8=v,k9=v,k10=v,k11=v,k12=v,k13=v,k14=v,k15=v,k16=v,k17=v,k18=v,k19=v,k20=v,k21=v,k22=v,k23=v,k24=v,k25=v,k26=v,k27=v,k28=v,k29=v,k30=v,k31=v,k32=v,k33=v,k34=v,k35=v,k36=v,k37=v,k38=v,k39=v,k40=v,k41=v,k42=v,k43=v,k44=v,k45=v,k46=v,k47=v,k48=v,k49=v,k50=v,k51=v,k52=v,k53=v,k54=v,k55=v,k56=v,k57=v,k58=v,k59=v,k60=v,k61=v,k62=v,k63=v,k64=v,k65=v,k66=v,...(thousands more)

Before the fix, the baggage extractor in packages/dd-trace/src/opentracing/propagation/text_map.js iterated over every comma-separated pair in the incoming header and inserted each into a map with no bounds check. The limits DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES existed only in the inject code path.

PR #8255 (commit 00a239a1e2, by Ruben Bridgewater) added the same item-count and byte-size guards to the extract path: parsing now stops as soon as the running byte total exceeds baggageMaxBytes or the item count exceeds baggageMaxItems, matching the behavior already present for injection.

The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption).

The fix

Upgrade dd-trace to version 5.100.0 or later. If an immediate upgrade is not possible, either remove baggage from DD_TRACE_PROPAGATION_STYLE (or DD_TRACE_PROPAGATION_STYLE_EXTRACT) to disable baggage extraction entirely, or enforce a cap on the maximum HTTP request header size at an upstream proxy (for example, Nginx large_client_header_buffers, Apache LimitRequestFieldSize, or Envoy max_request_headers_kb).

Reported by Ruben Bridgewater.

References: [1][2]

Related research