CVE-2026-50276: datadog (dd-trace-rb) W3C Baggage Header Denial of Service
The Datadog Ruby tracing gem parsed incoming W3C baggage HTTP headers with no item-count or size limit, so an unauthenticated attacker could crash any instrumented Ruby service by sending a single ove
The problem
The dd-trace-rb gem's W3C baggage propagator applied DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) and DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) only when injecting outbound headers, not when extracting inbound ones.
Every incoming request with a baggage header caused the tracer to allocate a hash-map entry for each comma-separated key=value pair, with no cap. A remote, unauthenticated attacker can send requests with thousands of pairs or a single multi-megabyte value, causing unbounded CPU and memory growth and eventually a denial of service.
Baggage propagation is on by default, so any internet-facing Ruby app instrumented with an affected gem version is exposed.
Proof of concept
A working proof-of-concept for CVE-2026-50276 in datadog, with the exact payload below.
GET /any-endpoint HTTP/1.1
Host: target.example.com
baggage: k1=v1,k2=v2,k3=v3,[...repeat 50000+ pairs...]The root cause is a missing guard on the extraction path. The injection path already enforced DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES, but the extractor called the CSV parser on the raw header value before any limit check. This is confirmed across every Datadog tracer that shipped the same fix in this period: dd-trace-go, dd-trace-java, and dd-trace-cpp all describe the patch identically as applying size and count limits on extraction.
The fix in 2.32.0 moves the limit enforcement to the extract path, short-circuiting parsing as soon as the item count or total byte budget is exceeded. CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) both apply.
No public PoC exists; payload is derived directly from the advisory description and confirmed patch behavior across the Datadog tracer family.
The fix
Upgrade the datadog gem to version 2.32.0 or later (gem 'datadog', '>= 2.32.0'). If you cannot upgrade immediately, remove 'baggage' from DD_TRACE_PROPAGATION_STYLE or set DD_TRACE_PROPAGATION_STYLE_EXTRACT to a value that excludes it. As a network-layer mitigation, cap total HTTP request header size at an upstream proxy: Nginx large_client_header_buffers, Apache LimitRequestFieldSize, or Envoy max_request_headers_kb.
Reported by tonghuaroot.
Related research
- high · 8.7CVE-2026-54498CVE-2026-54498: view_component around_render HTML-Safety Bypass XSS
- high · 7.5CVE-2026-50271CVE-2026-50271: ddtrace Uncontrolled Resource Consumption via W3C Baggage Header Parsing
- high · 7.5CVE-2026-50272CVE-2026-50272: dd-trace Unbounded W3C Baggage Extraction DoS
- high · 7.5CVE-2026-50273CVE-2026-50273: Datadog.Trace Unbounded W3C Baggage Extraction DoS