CVE-2025-27513

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-27513
OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header. Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime. This vulnerability is fixed in 1.11.2.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/open-telemetry/opentelemetry-dotnet/commit/1b555c1201413f2f55f2cd3c4ba03ef4b615b6b5
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) OpenTelemetry dotnet es un framework de telemetría de dotnet. Una vulnerabilidad en el paquete OpenTelemetry.Api 1.10.0 a 1.11.1 podría provocar una denegación de servicio (DoS) cuando se recibe un encabezado tracestate y traceparent. Incluso si una aplicación no utiliza explícitamente la propagación del contexto de seguimiento, la recepción de estos encabezados puede provocar un alto uso de la CPU. Este problema afecta a cualquier aplicación accesible a través de la web o servicios de backend que procesen solicitudes HTTP que contengan un encabezado tracestate. La aplicación puede experimentar un consumo excesivo de recursos, lo que genera mayor latencia, rendimiento degradado o tiempo de inactividad. Esta vulnerabilidad se solucionó en 1.11.2.

05 Mar 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-05 19:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-27513

Mitre link : CVE-2025-27513

CVE.ORG link : CVE-2025-27513

JSON object : View

Products Affected

No product.

CWE
CWE-770

Allocation of Resources Without Limits or Throttling