{
  "schema_version": "1.4.0",
  "id": "GHSA-vc29-vg52-6643",
  "modified": "2025-03-06T22:33:43Z",
  "published": "2025-03-06T22:33:43Z",
  "aliases": [],
  "summary": "DoS Vulnerability in TraceContextPropagator.Extract - OpenTelemetry.Api",
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a [Denial of Service (DoS) when a tracestate and traceparent header is received](https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6). These versions are used in OpenTelemetry .NET Automatic Instrumentation `1.10.0-beta.1` and `1.10.0`.\n\nEven if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.\nThis issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header.\nApplication may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThis issue has been resolved in `OpenTelemetry.Api` `1.11.2` by reverting the change that introduced the problematic behavior in versions `1.10.0` to `1.11.1`. OpenTelemetry .NET Automatic Instrumentation fixes it in `1.11.0` release.\n\n## Fixed version\n\n| OpenTelemetry .NET Automatic Instrumentation | Status |\n|----|----|\n| <= 1.9.0 | ✅ Not affected |\n| 1.10.0-beta.1, 1.10.0 | ❌ Vulnerable |\n| 1.11.0 (Fixed)| ✅ Safe to use|\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.AutoInstrumentation"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "1.10.0-beta.1"
            },
            {
              "fixed": "1.11.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/security/advisories/GHSA-vc29-vg52-6643"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27513"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-06T22:33:43Z",
    "nvd_published_at": null
  }
}