Intel

AIKIDO-2026-391824

datadog/dd-trace is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-50275 Published 3 days ago

75

High Risk

This Affects:

PHPdatadog/dd-trace
0.0.1 - 1.19.1
Fixed in 1.19.2
Are you affected? Scan for Free

TL;DR

The tracer parses incoming W3C baggage propagation HTTP headers on the extract path without enforcing item-count or byte-size limits. The DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) and DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) limits were applied only when injecting baggage, not when extracting it. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs or a single very large value, causing the tracer to allocate a hash-map entry per pair on every request and consume unbounded CPU and memory. The fix restricts the accepted amount of extracted tags and baggage on the extraction path.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and the baggage propagation style is enabled for extraction, which is the default in most configurations.

Background info

datadog/dd-trace is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 1.19.1.

How to fix this

Upgrade the datadog/dd-trace library to the patch version.