GHSA-8785-WC3W-H8Q6

Vulnerability from github – Published: 2025-03-05 18:15 – Updated: 2025-03-05 21:54
VLAI?
Summary
OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package
Details

Impact

What kind of vulnerability is it? Who is impacted?

A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received.

  • Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.
  • This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header.
  • Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.

Patches

Has the problem been patched? What versions should users upgrade to?

This issue has been resolved in OpenTelemetry.Api 1.11.2 by reverting the change that introduced the problematic behavior in versions 1.10.0 to 1.11.1.

  • The fix ensures that valid tracing headers no longer cause excessive CPU consumption when received in requests.

    • Fixed Version:

    OpenTelemetry .NET Version | Status -- | -- <= 1.9.x | ✅ Not affected 1.10.0 - 1.11.1 | ❌ Vulnerable 1.11.2 (Fixed) | ✅ Safe to use

    Upgrade Command:

    dotnet add package OpenTelemetry --version 1.11.2

    Delisting of Affected Packages To prevent accidental usage, we have delisted the affected versions (1.10.0 to 1.11.1) from NuGet. Users should avoid these versions and upgrade to 1.11.2 immediately.

    Workarounds

    Is there a way for users to fix or remediate the vulnerability without upgrading?

    References

    Are there any links users can visit to find out more?

    Severity ?
    6.5 (Medium)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
    Show details on source website
    To clipboard 

    {
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Api"
      },
      "versions": [
        "1.10.0"
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Api"
      },
      "versions": [
        "1.10.0-beta.1"
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Api"
      },
      "versions": [
        "1.10.0-rc.1"
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Api"
      },
      "versions": [
        "1.11.0-rc.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-05T18:15:22Z",
    "nvd_published_at": "2025-03-05T19:15:39Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a Denial of Service (DoS) when a `tracestate` and `traceparent` header is received.\n\n* Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.\n* This issue impacts any application accessible over the web or backend services that process HTTP requests containing a `tracestate` header.\n* Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThis issue has been \u003cstrong data-start=\"1143\" data-end=\"1184\"\u003eresolved in OpenTelemetry.Api 1.11.2\u003c/strong\u003e by \u003cstrong data-start=\"1188\" data-end=\"1212\"\u003ereverting the change\u003c/strong\u003e that introduced the problematic behavior in versions \u003cstrong data-start=\"1266\" data-end=\"1286\"\u003e1.10.0 to 1.11.1\u003c/strong\u003e.\u003c/li\u003e\u003cli data-start=\"1290\" data-end=\"1409\"\u003eThe fix ensures that \u003cstrong data-start=\"1313\" data-end=\"1380\"\u003evalid tracing headers no longer cause excessive CPU consumption\u003c/strong\u003e when received in requests.\u003c/li\u003e\u003c/ul\u003e\u003ch4 data-start=\"1411\" data-end=\"1434\"\u003e\u003cstrong data-start=\"1416\" data-end=\"1434\"\u003eFixed Version:\u003c/strong\u003e\u003c/h4\u003e\nOpenTelemetry .NET Version | Status\n-- | --\n\u003c= 1.9.x | \u2705 Not affected\n1.10.0 - 1.11.1 | \u274c Vulnerable\n1.11.2 (Fixed) | \u2705 Safe to use\n\n**Upgrade Command:**\n\n```\ndotnet add package OpenTelemetry --version 1.11.2\n```\n\n**Delisting of Affected Packages**\nTo prevent accidental usage, we have delisted the affected versions (1.10.0 to 1.11.1) from NuGet. Users should avoid these versions and upgrade to 1.11.2 immediately.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_",
  "id": "GHSA-8785-wc3w-h8q6",
  "modified": "2025-03-05T21:54:14Z",
  "published": "2025-03-05T18:15:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27513"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet/commit/1b555c1201413f2f55f2cd3c4ba03ef4b615b6b5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package"
}


    Log in or create an account to share your comment.




    Tags
    Taxonomy of the tags.




    Sightings

    Author Source Type Date

    Nomenclature

    • Seen: The vulnerability was mentioned, discussed, or observed by the user.
    • Confirmed: The vulnerability has been validated from an analyst's perspective.
    • Published Proof of Concept: A public proof of concept is available for this vulnerability.
    • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
    • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
    • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
    • Not confirmed: The user expressed doubt about the validity of the vulnerability.
    • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



    Detection rules are retrieved from Rulezet.