OpenTelemetry-Go Remote Denial-of-Service Vulnerability via Multi-Value Baggage Header Amplification

A denial-of-service vulnerability has been identified in OpenTelemetry-Go, specifically in versions 1.36.0 prior to 1.40.0. The issue arises in the multi-value baggage header extraction process, which independently parses each header field-value and aggregates the results. This behavior allows an attacker to amplify CPU usage and memory allocations by sending multiple baggage header lines, even if each individual value complies with the 8192-byte per-value limit. The vulnerability is present in the 'go.opentelemetry.io/otel/baggage' and 'go.opentelemetry.io/otel/propagation' packages.

Impact

Exploitation of this vulnerability leads to significant increased memory allocations and latency for each affected request. In testing, a single request with 80 baggage header values caused over 10 megabytes of additional memory allocation and increased processing time, compared to a control request with a single value.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with multiple 'baggage' header lines. Each line should be within the 8192-byte limit, but the cumulative effect of parsing them individually can be demonstrated. This can be automated with a proof-of-concept that sends such requests and measures the resulting memory allocation and processing time.

Remediation

Users can upgrade to OpenTelemetry-Go version 1.41.0, where this vulnerability has been fixed.