CVE-2026-54285 | opentelemetry-js is the OpenTelemetry JavaScript Client. Pri… | CVSS 5.3 MEDIUM

Description

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (inject()) path, not on the inbound (extract()) path. Parsing oversized baggage causes memory allocation proportional to the header size without any cap. This vulnerability is fixed in 2.8.0.

Metadata

CVE ID: CVE-2026-54285
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 17:46 UTC
Published: 2026-06-22 16:52 UTC
Last updated: 2026-06-22 16:52 UTC
Primary CWE: CWE-770
CWE-770: Allocation of Resources Without Limits or Throttlin…
Vendor / Product: open-telemetry / opentelemetry-js
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products (1)

Vendor	Product	Platform	Versions
open-telemetry	opentelemetry-js	—	< 2.8.0

Weakness (CWE)

CWE	Source	Description
CWE-770	cna	CWE-770: Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (1)

https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-8988-4f7v-96qf https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-8988-4f7v-96qf