CVE-2026-50273
Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C
CVSS
7.5
Alto
EPSS
—
KEV
—
Exploit Today
—
0-100
Publicado: 17 jul 2026 · Última mod.: 17 jul 2026 · CWE-770
Sin historial EPSS suficiente todavía.
Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES on extraction, allowing a remote unauthenticated attacker to send a baggage header with many comma-separated key-value pairs or one very large value and cause unbounded CPU and memory consumption in services with baggage propagation enabled. This issue is fixed in version 3.43.0.
- github.comhttps://github.com/DataDog/dd-trace-dotnet/commit/38092e0d41a36decbe649e048e48ae1b1607292f
- github.comhttps://github.com/DataDog/dd-trace-dotnet/pull/8555
- github.comhttps://github.com/DataDog/dd-trace-dotnet/releases/tag/v3.43.0
- github.comhttps://github.com/DataDog/dd-trace-dotnet/security/advisories/GHSA-38wr-vpc7-2mp4