datadog/dd-trace is vulnerable to Denial of Service (DoS)
75
High Risk
The tracer parses incoming W3C baggage propagation HTTP headers on the extract path without enforcing item-count or byte-size limits. The DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) and DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) limits were applied only when injecting baggage, not when extracting it. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs or a single very large value, causing the tracer to allocate a hash-map entry per pair on every request and consume unbounded CPU and memory. The fix restricts the accepted amount of extracted tags and baggage on the extraction path.
You are affected if you are using a version that falls within the vulnerable range and the baggage propagation style is enabled for extraction, which is the default in most configurations.
datadog/dd-trace is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 1.19.1.
Upgrade the datadog/dd-trace library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant