{
"schema_version": "1.4.0",
"id": "GHSA-8785-wc3w-h8q6",
"modified": "2025-03-05T21:54:14Z",
"published": "2025-03-05T18:15:22Z",
"aliases": [
"CVE-2025-27513"
],
"summary": "OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package",
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a Denial of Service (DoS) when a `tracestate` and `traceparent` header is received.\n\n* Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.\n* This issue impacts any application accessible over the web or backend services that process HTTP requests containing a `tracestate` header.\n* Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThis issue has been resolved in OpenTelemetry.Api 1.11.2 by reverting the change that introduced the problematic behavior in versions 1.10.0 to 1.11.1.The fix ensures that valid tracing headers no longer cause excessive CPU consumption when received in requests.Fixed Version:
\nOpenTelemetry .NET Version | Status\n-- | --\n<= 1.9.x | ✅ Not affected\n1.10.0 - 1.11.1 | ❌ Vulnerable\n1.11.2 (Fixed) | ✅ Safe to use\n\n**Upgrade Command:**\n\n```\ndotnet add package OpenTelemetry --version 1.11.2\n```\n\n**Delisting of Affected Packages**\nTo prevent accidental usage, we have delisted the affected versions (1.10.0 to 1.11.1) from NuGet. Users should avoid these versions and upgrade to 1.11.2 immediately.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
}
],
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "OpenTelemetry.Api"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.2"
}
]
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "OpenTelemetry.Api"
},
"versions": [
"1.10.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "OpenTelemetry.Api"
},
"versions": [
"1.10.0-beta.1"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "OpenTelemetry.Api"
},
"versions": [
"1.10.0-rc.1"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "OpenTelemetry.Api"
},
"versions": [
"1.11.0-rc.1"
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27513"
},
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6161"
},
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/commit/1b555c1201413f2f55f2cd3c4ba03ef4b615b6b5"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-telemetry/opentelemetry-dotnet"
}
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2025-03-05T18:15:22Z",
"nvd_published_at": "2025-03-05T19:15:39Z"
}
}