7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-29181

CVE-2026-29181: OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links

repository: https://github.com/open-telemetry/opentelemetry-go
pinned callsite: https://github.com/open-telemetry/opentelemetry-go/blob/1ee4a4126dbdd1bc79e9fae072fa488beffac52a/propagation/baggage.go#L58

vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a4126dbdd1bc79e9fae072fa488beffac52a as-of: 2026-02-04 policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage) attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

canonical: per_req_alloc_bytes=10315458 and p95_ms=7
control: per_req_alloc_bytes=133429 and p95_ms=0

proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget. actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip PR_DESCRIPTION.md

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-29181

CVE-2026-29181:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
go.opentelemetry.io/otel	go	>= 1.36.0, <= 1.40.0	1.41.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as GHSA-mh2q-q3fh-2475, is a denial-of-service (DoS) weakness in OpenTelemetry-Go caused by excessive resource consumption when parsing W3C baggage headers. The root cause is the amplification of CPU and memory allocation when an HTTP request contains multiple baggage header fields.

The exploitation path begins at propagation.Baggage.Extract, the public entry point for baggage extraction. When multiple baggage headers are present, this function calls the internal propagation.extractMultiBaggage function. In its vulnerable state, extractMultiBaggage would iterate through every single baggage header value provided by the attacker. For each value, it would call baggage.Parse to process the string, and then aggregate the results. There was no mechanism to limit the total number of members collected across all headers, allowing the list of members to grow excessively.

This led to two primary points of resource exhaustion:

Repeated Parsing: The baggage.Parse function was called for each header, amplifying the CPU cost.
Excessive Allocation: After parsing, the baggage.New function was called with the aggregated list of all members. The vulnerable version of New would create a full string representation of all members in memory to check if it exceeded the size limit, leading to a massive memory allocation that could cause the application to slow down or crash.

The patch mitigates this by introducing checks early in the process. extractMultiBaggage now stops collecting members once the maximum limit (64) is reached. Furthermore, baggage.Parse and baggage.New were updated to incrementally validate limits and truncate data, preventing the large intermediate allocations that were the core of the DoS attack.

Vulnerable functions

go.opentelemetry.io/otel/propagation.Baggage.Extract

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-29181: OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

severity

relevant links

vulnerability details

root cause

impact

proof of concept

fix recommendation

CVE-2026-29181:

7.5

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

CVE-2026-29181: OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

severity

relevant links

vulnerability details

root cause

impact

proof of concept

fix recommendation

Technical Details

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI