AIKIDO-2026-961466
dd-trace is vulnerable to Cleartext Transmission of Sensitive Information
59
Medium Risk
This Affects:
dd-traceTL;DR
The dd-trace agentless exporter and shared HTTP request helper can place the Datadog API key on plain HTTP connections to non-loopback hosts when agentless intake is configured or a cleartext intake URL is inherited from agent settings. Affected versions also include sensitive configuration values such as DD_API_KEY, DD_APP_KEY, and OTLP header maps in library configuration telemetry. An on-path network observer or unintended telemetry recipient could read these credentials before the fix. The patch forces agentless intake over HTTPS, strips API-key headers from non-loopback cleartext requests, and omits sensitive configuration entries from telemetry.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and you use agentless span intake with DD_API_KEY or exporter paths that can send the Datadog API key over plain HTTP to non-loopback hosts.
Background info
dd-trace is vulnerable to Cleartext Transmission of Sensitive Information in versions 5.88.0 - 5.106.0.
How to fix this
Upgrade the dd-trace library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant