## OpenTelemetry-Go Baggage Parsing Vulnerability Enables Remote DoS Amplification A security vulnerability in the OpenTelemetry-Go library exposes applications to potential denial-of-service attacks through crafted baggage headers. The flaw (CVE-2026-29181, tracked as GHSA-mh2q-q3fh-2475) allows remote attackers to trigger excessive memory allocations by sending specially constructed multi-value baggage headers, achieving amplification effects that could overwhelm targeted services. The vulnerability stems from how OpenTelemetry-Go processes multi-value baggage headers. The library parses each header field-value independently before aggregating members across values, creating a memory allocation pattern that attackers can exploit for DoS amplification. This parsing behavior becomes dangerous when processing untrusted or external input, as attackers can craft headers designed to maximize allocation overhead with minimal request volume. The affected versions span v1.39.0 through v1.40.x, with the security patch available in v1.41.0. Organizations using OpenTelemetry-Go for distributed tracing and observability face direct exposure, particularly those with internet-facing services or workflows that process baggage headers from external sources. The vulnerability raises risk for any application where untrusted input can reach OpenTelemetry's header parsing logic. Maintainers recommend immediate upgrade to v1.41.0 for any production deployments, with particular urgency for services handling cross-service context propagation across trust boundaries. As the library underpins a significant portion of Go-based observability infrastructure, downstream projects and frameworks depending on OpenTelemetry instrumentation should also assess their exposure and apply patches accordingly. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: opentelemetry, golang, cve-2026-29181, denial-of-service, security-vulnerability - **Credibility**: unverified - **Published**: 2026-04-24 22:54:07 - **ID**: 76981 - **URL**: https://whisperx.ai/en/intel/76981