Skip to content

OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package

Moderate severity GitHub Reviewed Published Mar 5, 2025 in open-telemetry/opentelemetry-dotnet • Updated Mar 5, 2025

Package

nuget OpenTelemetry.Api (NuGet)

Affected versions

>= 1.11.0, < 1.11.2
= 1.10.0
= 1.10.0-beta.1
= 1.10.0-rc.1
= 1.11.0-rc.1

Patched versions

1.11.2

Description

Impact

What kind of vulnerability is it? Who is impacted?

A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received.

  • Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.
  • This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header.
  • Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.

Patches

Has the problem been patched? What versions should users upgrade to?

This issue has been resolved in OpenTelemetry.Api 1.11.2 by reverting the change that introduced the problematic behavior in versions 1.10.0 to 1.11.1.

  • The fix ensures that valid tracing headers no longer cause excessive CPU consumption when received in requests.

    • Fixed Version:

    OpenTelemetry .NET Version Status
    <= 1.9.x ✅ Not affected
    1.10.0 - 1.11.1 ❌ Vulnerable
    1.11.2 (Fixed) ✅ Safe to use

    Upgrade Command:

    dotnet add package OpenTelemetry --version 1.11.2

    Delisting of Affected Packages
    To prevent accidental usage, we have delisted the affected versions (1.10.0 to 1.11.1) from NuGet. Users should avoid these versions and upgrade to 1.11.2 immediately.

    Workarounds

    Is there a way for users to fix or remediate the vulnerability without upgrading?

    References

    Are there any links users can visit to find out more?

    References

    @rajkumar-rangaraj rajkumar-rangaraj published to open-telemetry/opentelemetry-dotnet Mar 5, 2025
    Published to the GitHub Advisory Database Mar 5, 2025
    Reviewed Mar 5, 2025
    Published by the National Vulnerability Database Mar 5, 2025
    Last updated Mar 5, 2025

    Severity

    Moderate

    CVSS overall score

    This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
    / 10

    CVSS v3 base metrics

    Attack vector
    Network
    Attack complexity
    Low
    Privileges required
    None
    User interaction
    Required
    Scope
    Unchanged
    Confidentiality
    None
    Integrity
    None
    Availability
    High

    CVSS v3 base metrics

    Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
    Attack complexity: More severe for the least complex attacks.
    Privileges required: More severe if no privileges are required.
    User interaction: More severe when no user interaction is required.
    Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
    Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
    Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
    Availability: More severe when the loss of impacted component availability is highest.
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

    EPSS score

    Exploit Prediction Scoring System (EPSS)

    This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
    (27th percentile)

    Weaknesses

    Allocation of Resources Without Limits or Throttling

    The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. Learn more on MITRE.

    CVE ID

    CVE-2025-27513

    GHSA ID

    GHSA-8785-wc3w-h8q6

    Source code

    Loading Checking history
    See something to contribute? Suggest improvements for this vulnerability.