CVE-2026-50273: Datadog.Trace Unbounded W3C Baggage Extraction DoS
The Datadog .NET tracing library parsed incoming W3C baggage HTTP headers without any item-count or size limits, letting an unauthenticated attacker crash or starve any instrumented service with a sin
The problem
All versions of Datadog.Trace before 3.43.0 enforced baggage limits (DD_TRACE_BAGGAGE_MAX_ITEMS, default 64; DD_TRACE_BAGGAGE_MAX_BYTES, default 8192) only on the injection (outbound) path. The extraction (inbound) path had no equivalent guard.
A remote, unauthenticated attacker can send an HTTP request whose baggage header contains thousands of comma-separated key=value pairs or a single multi-megabyte value. The tracer allocates a dictionary entry for every pair on every request, causing unbounded CPU and memory growth and enabling a remote Denial of Service.
Because baggage extraction is enabled by default (the default propagation style is datadog,tracecontext,baggage), any internet-facing service instrumented with an affected version is exposed without any additional configuration.
Proof of concept
A working proof-of-concept for CVE-2026-50273 in Datadog.Trace, with the exact payload below.
GET / HTTP/1.1
Host: victim.example.com
baggage: k1=v1,k2=v2,k3=v3,[... repeat to 10 000+ pairs ...],k10000=v10000
The W3C baggage header is a comma-delimited list of name=value pairs. The pre-patch extractor iterated over every pair and inserted it into a Dictionary<string,string> with no item-count or total-byte ceiling. Limits that existed in the codebase (DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES) were checked only inside the injection code path, so they offered no protection at extract time.
PR #8555 ('Apply baggage limits on extract') ported those same guards to the extraction path, making the parser stop and discard excess pairs once either the item count or the byte budget is exceeded. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling) combined with CWE-400 (Uncontrolled Resource Consumption).
The fix
Upgrade Datadog.Trace (NuGet) to version 3.43.0 or later. If an immediate upgrade is not possible, remove baggage from DD_TRACE_PROPAGATION_STYLE_EXTRACT (or DD_TRACE_PROPAGATION_STYLE) to disable baggage extraction entirely. As a defence-in-depth measure, cap the maximum inbound header size at an upstream proxy such as Nginx (large_client_header_buffers), Apache (LimitRequestFieldSize), or Envoy (max_request_headers_kb).
Related research
- high · 7.5CVE-2026-53460CVE-2026-53460: Magick.NET (ImageMagick) AcquireAlignedMemory Policy Bypass DoS
- high · 7.5CVE-2026-50276CVE-2026-50276: datadog (dd-trace-rb) W3C Baggage Header Denial of Service
- high · 7.5CVE-2026-50271CVE-2026-50271: ddtrace Uncontrolled Resource Consumption via W3C Baggage Header Parsing
- high · 7.5CVE-2026-50272CVE-2026-50272: dd-trace Unbounded W3C Baggage Extraction DoS